Linux Analysis Report
6gIL6GLh9R

Overview

General Information

Sample Name:	6gIL6GLh9R
Analysis ID:	635071
MD5:	6dfcca37a6b1468fcaf3addab827b850
SHA1:	d96baef8427ad98a42e418e49fbcf440b173fc3a
SHA256:	eed19f89eba4f0ca0b1f7ef5f02080b5839f076652aeb277c59e3b6e85f18c4a
Tags:	32armelfgafgyt
Infos:

Detection

Mirai

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected Mirai

Multi AV Scanner detection for submitted file

Reads system files that contain records of logged in users

Contains symbols with names commonly found in malware

Sample tries to kill multiple processes (SIGKILL)

Sample reads /proc/mounts (often used for finding a writable filesystem)

Executes the "kill" or "pkill" command typically used to terminate processes

Reads CPU information from /sys indicative of miner or evasive malware

Yara signature match

Executes the "grep" command used to find patterns in files or piped streams

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes the "systemctl" command used for controlling the systemd system and service manager

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample contains symbols with suspicious names

Deletes log files

Creates hidden files and/or directories

Sample tries to set the executable flag

Executes commands using a shell command-line interpreter

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 6gIL6GLh9R

Virustotal: Detection: 55%

Perma Link

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6328)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6440)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6522)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6635)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6759)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6864)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6871)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.23:48298 -> 45.142.122.121:63645
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 107.79.25.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.231.99.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.100.138.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.175.227.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 83.162.197.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 138.6.47.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 179.78.195.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 140.254.83.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.67.144.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 101.203.212.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.138.206.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.126.56.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 182.99.171.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 90.129.129.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.26.223.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 174.14.213.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 150.20.214.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 184.92.81.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.114.133.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 70.16.130.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.144.87.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 175.44.51.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 36.82.214.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.82.117.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.78.162.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 221.101.184.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.238.13.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.173.203.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.233.140.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.200.31.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 221.112.75.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 58.42.120.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.138.223.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.28.52.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.102.12.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 115.34.58.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 145.88.87.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.96.72.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 76.179.1.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 202.8.204.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 81.171.243.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.255.208.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 62.31.84.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.239.221.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.219.221.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.218.39.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 41.85.0.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.224.184.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 64.254.173.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 17.82.34.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 169.213.92.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 17.217.45.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 135.101.37.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.243.234.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 88.78.12.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 109.93.0.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.128.244.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.167.168.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 70.175.4.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.61.34.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 150.102.162.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.211.60.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.238.94.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.38.54.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.240.34.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.116.144.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.204.35.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.253.73.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.217.243.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.14.152.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 149.136.134.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.251.133.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 130.191.165.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 53.7.57.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.148.102.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 222.247.143.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 177.98.104.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 167.120.152.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 201.226.126.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 120.82.85.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.112.41.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.203.129.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.203.87.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 5.86.73.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 72.198.235.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.98.144.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 157.48.66.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.209.192.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.213.222.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.26.199.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.134.17.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.98.208.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 162.77.180.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.234.156.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.39.80.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.243.157.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 5.192.35.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.62.207.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.104.17.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.56.230.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 100.34.130.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 90.77.179.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 169.254.110.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 220.22.94.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 168.114.234.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 13.76.114.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.143.141.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 223.173.39.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.70.231.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 196.41.4.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.219.175.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 70.166.115.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.145.208.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 102.144.195.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 39.51.162.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 80.34.149.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.207.59.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.140.62.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 173.50.114.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.248.159.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 5.98.65.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 158.24.65.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 194.34.50.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 193.249.7.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 74.136.74.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.30.107.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.215.96.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 18.17.68.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 68.197.94.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 169.77.132.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.140.122.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 198.131.127.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.180.245.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 95.51.247.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 20.205.0.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 181.167.102.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.201.32.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.107.17.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 205.120.169.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.254.33.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.47.233.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.51.184.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 186.17.46.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 180.207.159.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.44.147.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.213.228.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 121.169.103.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 109.112.68.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.157.179.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 194.236.243.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 62.227.219.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 216.3.211.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.27.242.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.182.42.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 39.31.66.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.8.74.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.93.133.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.52.27.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 218.31.204.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.203.144.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.244.65.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.9.203.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 23.182.132.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 130.230.139.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 191.49.202.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.86.61.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 205.122.178.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 188.40.38.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.133.249.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 103.150.195.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.174.204.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 100.12.204.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 95.48.114.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 101.173.141.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 185.81.28.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.44.199.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.175.208.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 174.101.115.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 20.196.94.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 195.202.127.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 174.222.115.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.101.199.96:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 206.242.23.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.103.83.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.7.142.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 88.245.147.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 177.9.245.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.2.39.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.151.227.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 198.129.9.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.198.203.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.51.202.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 210.139.240.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.151.41.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 36.181.218.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 65.188.137.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 43.246.189.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.231.214.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 34.194.99.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.162.102.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.205.174.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.21.218.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 195.88.117.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.109.250.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.73.15.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 13.51.41.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.73.162.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 208.73.198.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 159.7.246.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 31.237.93.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 202.188.219.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 210.112.123.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 86.66.56.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.62.55.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 182.96.188.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.93.32.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 27.25.176.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.227.192.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.103.105.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 162.216.48.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.99.153.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 160.204.32.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 103.223.238.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 13.230.56.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 77.255.17.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 181.159.78.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 142.242.163.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.55.201.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 69.119.26.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 171.195.145.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 201.74.202.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.217.120.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.140.54.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 197.15.7.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 23.217.57.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.133.168.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.105.118.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.159.174.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.179.63.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.249.185.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 12.48.47.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 74.5.93.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 126.38.87.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 145.116.196.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.32.204.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 146.143.170.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 157.87.202.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.178.14.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 53.231.219.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.202.215.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 138.242.211.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.36.91.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 173.57.42.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 199.49.51.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 149.254.40.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 202.110.105.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.206.57.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 108.188.96.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.40.29.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 220.141.28.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.161.42.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.213.76.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.101.65.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.70.242.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 68.224.189.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 220.48.73.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 47.25.184.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 184.125.63.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.23.235.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 97.214.76.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.181.185.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 45.17.1.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.201.118.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 152.68.162.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.203.144.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.187.184.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.241.126.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 119.189.203.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 48.249.56.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.15.206.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.239.186.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.198.251.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.166.56.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 44.255.64.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 73.177.95.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 168.218.88.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.71.224.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.53.41.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 120.134.223.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 89.12.30.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 218.123.233.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 23.42.68.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.139.151.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.32.237.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 1.139.232.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 148.88.92.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 107.108.44.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 197.169.5.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.78.153.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 35.255.59.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 62.43.230.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.27.118.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.103.54.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 81.231.197.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.137.37.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.191.122.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.16.223.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 74.235.241.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.111.0.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.128.18.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.1.220.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 65.211.221.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 179.141.40.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.138.101.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 216.102.53.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.35.219.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.241.19.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.247.132.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 197.143.50.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.202.161.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.34.76.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.154.247.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.224.148.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.200.126.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 171.32.55.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 84.178.149.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 35.219.248.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 117.188.248.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.47.3.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 158.40.74.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 80.63.254.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 9.36.93.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 87.242.168.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 75.159.200.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 213.180.42.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.54.45.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.205.111.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 42.60.92.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 187.159.53.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.0.217.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.27.77.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 104.242.3.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.111.170.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 79.119.11.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.225.144.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.188.166.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 58.222.64.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.103.238.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 54.129.166.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.2.129.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.118.230.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.27.212.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 184.220.238.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 153.93.108.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.161.24.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 82.129.103.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.44.207.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 222.150.105.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 48.159.56.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 126.83.76.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.28.183.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.160.224.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 57.178.24.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 65.123.244.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 47.92.124.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 89.187.75.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 180.65.235.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.169.173.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.215.157.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 173.7.94.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 207.135.11.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 44.219.203.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 193.101.235.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.241.112.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.14.130.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 104.169.80.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 206.56.151.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 216.235.35.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.101.246.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.184.92.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.64.170.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 104.220.248.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.215.139.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 155.21.46.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.169.58.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 34.86.108.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 72.157.211.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 8.138.20.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.53.95.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 51.3.42.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.107.64.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 135.82.72.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 95.184.135.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.37.40.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.169.177.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 119.39.14.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.239.165.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 129.13.21.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.137.211.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.116.184.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.25.247.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 148.155.219.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 198.68.40.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.253.101.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.24.115.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 108.163.214.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 102.5.78.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.18.18.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 221.124.68.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 31.99.33.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 162.43.182.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 175.227.29.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 86.19.19.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.65.145.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.176.93.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.102.138.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 128.12.66.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.240.111.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.137.173.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.58.25.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 212.66.173.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 79.105.233.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 152.195.222.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.39.130.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.94.224.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.220.55.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 171.252.135.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.92.69.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 116.115.229.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.136.6.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 63.139.0.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.252.123.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.153.254.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 157.4.92.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 199.254.204.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 142.75.39.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 106.78.55.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 160.251.226.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.35.242.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 193.173.180.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.118.183.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 45.245.192.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.24.61.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 130.17.244.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 80.149.246.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 124.197.166.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 99.88.89.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 83.31.47.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.151.18.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.151.27.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.227.225.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.118.253.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.183.146.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 12.176.255.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 81.122.246.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.196.182.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.119.238.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.107.158.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 213.195.58.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 9.8.1.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 68.3.135.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.162.180.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.106.31.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 89.63.243.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 102.216.229.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.16.182.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.61.205.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 8.31.94.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.227.190.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 124.17.15.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 179.233.214.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.184.201.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 117.199.116.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 160.123.247.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.249.34.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.32.6.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 219.162.131.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 121.134.161.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.218.127.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.214.77.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.162.214.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.174.147.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.205.74.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 90.85.131.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 115.178.168.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.138.52.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.79.130.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.42.125.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 180.34.54.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.7.36.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 8.36.146.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 143.239.156.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 124.165.198.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.243.227.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.200.91.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.70.29.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 88.39.103.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.52.112.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 222.150.39.98:2323

Sample listens on a socket

Source: /tmp/6gIL6GLh9R (PID: 6234)	Socket: 127.0.0.1::59025	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6266)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6446)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6476)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6516)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6625)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6716)	Socket: <unknown socket type>:unknown
Source: /usr/bin/dbus-daemon (PID: 6741)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6734)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd (PID: 6737)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6857)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6953)	Socket: <unknown socket type>:unknown
Source: /usr/sbin/gdm3 (PID: 6954)	Socket: <unknown socket type>:unknown

Source: unknown	Network traffic detected: HTTP traffic on port 38114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38114
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.122.121
Source: unknown	TCP traffic detected without corresponding DNS query: 107.79.25.102
Source: unknown	TCP traffic detected without corresponding DNS query: 181.245.73.225
Source: unknown	TCP traffic detected without corresponding DNS query: 2.206.108.228
Source: unknown	TCP traffic detected without corresponding DNS query: 95.164.211.235
Source: unknown	TCP traffic detected without corresponding DNS query: 195.180.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 19.50.204.108
Source: unknown	TCP traffic detected without corresponding DNS query: 115.248.186.220
Source: unknown	TCP traffic detected without corresponding DNS query: 177.6.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 193.238.121.217
Source: unknown	TCP traffic detected without corresponding DNS query: 193.13.144.14
Source: unknown	TCP traffic detected without corresponding DNS query: 189.231.99.149
Source: unknown	TCP traffic detected without corresponding DNS query: 98.242.41.107
Source: unknown	TCP traffic detected without corresponding DNS query: 194.74.73.110
Source: unknown	TCP traffic detected without corresponding DNS query: 162.128.150.197
Source: unknown	TCP traffic detected without corresponding DNS query: 59.62.12.31
Source: unknown	TCP traffic detected without corresponding DNS query: 45.245.39.84
Source: unknown	TCP traffic detected without corresponding DNS query: 182.134.162.53
Source: unknown	TCP traffic detected without corresponding DNS query: 76.176.149.177
Source: unknown	TCP traffic detected without corresponding DNS query: 167.111.176.148
Source: unknown	TCP traffic detected without corresponding DNS query: 183.4.196.207
Source: unknown	TCP traffic detected without corresponding DNS query: 92.100.138.80
Source: unknown	TCP traffic detected without corresponding DNS query: 60.70.14.210
Source: unknown	TCP traffic detected without corresponding DNS query: 85.200.121.61
Source: unknown	TCP traffic detected without corresponding DNS query: 181.220.188.236
Source: unknown	TCP traffic detected without corresponding DNS query: 154.149.237.185
Source: unknown	TCP traffic detected without corresponding DNS query: 38.224.174.229
Source: unknown	TCP traffic detected without corresponding DNS query: 157.133.208.50
Source: unknown	TCP traffic detected without corresponding DNS query: 42.89.80.60
Source: unknown	TCP traffic detected without corresponding DNS query: 176.186.164.33
Source: unknown	TCP traffic detected without corresponding DNS query: 71.175.227.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.172.168.140
Source: unknown	TCP traffic detected without corresponding DNS query: 54.28.139.34
Source: unknown	TCP traffic detected without corresponding DNS query: 139.169.109.29
Source: unknown	TCP traffic detected without corresponding DNS query: 179.165.30.22
Source: unknown	TCP traffic detected without corresponding DNS query: 122.0.44.225
Source: unknown	TCP traffic detected without corresponding DNS query: 192.47.235.238
Source: unknown	TCP traffic detected without corresponding DNS query: 111.117.236.251
Source: unknown	TCP traffic detected without corresponding DNS query: 83.162.197.152
Source: unknown	TCP traffic detected without corresponding DNS query: 19.147.220.62
Source: unknown	TCP traffic detected without corresponding DNS query: 175.194.114.227
Source: unknown	TCP traffic detected without corresponding DNS query: 17.53.208.37
Source: unknown	TCP traffic detected without corresponding DNS query: 204.213.105.45
Source: unknown	TCP traffic detected without corresponding DNS query: 68.61.54.83
Source: unknown	TCP traffic detected without corresponding DNS query: 206.68.231.186
Source: unknown	TCP traffic detected without corresponding DNS query: 166.80.117.144
Source: unknown	TCP traffic detected without corresponding DNS query: 217.148.46.178
Source: unknown	TCP traffic detected without corresponding DNS query: 85.152.124.166
Source: unknown	TCP traffic detected without corresponding DNS query: 138.6.47.41
Source: unknown	TCP traffic detected without corresponding DNS query: 81.208.145.71

Source: syslog.276.dr, syslog.206.dr, syslog.168.dr, syslog.39.dr, syslog.332.dr

String found in binary or memory: https://www.rsyslog.com

Source: unknown

DNS traffic detected: queries for: daisy.ubuntu.com

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_gre.c
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method_http

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6049, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6194, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6199, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6266, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6323, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6327, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6328, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6404, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6406, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6516, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6517, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6520, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6522, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6526, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6600, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6609, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6624, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6625, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6629, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6634, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6635, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6641, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6707, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6709, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6734, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6737, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6744, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6757, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6762, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6826, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6836, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6857, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6862, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6867, result: successful	Jump to behavior

Yara signature match

Source: 6gIL6GLh9R, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6237.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6240.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6237.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6240.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6242.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6242.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6236.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6236.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13

Sample tries to kill a process (SIGKILL)

Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6049, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6194, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6199, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6266, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6323, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6327, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6328, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6404, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6406, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6516, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6517, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6520, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6522, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6526, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6600, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6609, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6624, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6625, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6629, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6634, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6635, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6641, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6707, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6709, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6734, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6737, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6744, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6757, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6762, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6826, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6836, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6857, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6862, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6867, result: successful	Jump to behavior

Sample contains symbols with suspicious names

Source: ELF static info symbol of initial sample	Name: scanner.c
Source: ELF static info symbol of initial sample	Name: scanner_init
Source: ELF static info symbol of initial sample	Name: scanner_kill
Source: ELF static info symbol of initial sample	Name: scanner_pid
Source: ELF static info symbol of initial sample	Name: scanner_rawpkt

Source: classification engine

Classification label: mal72.spre.troj.lin@0/161@7/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6327)	File: /proc/6327/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6476)	File: /proc/6476/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6483)	File: /proc/6483/mounts	Jump to behavior
Source: /bin/fusermount (PID: 6493)	File: /proc/6493/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6520)	File: /proc/6520/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6624)	File: /proc/6624/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6634)	File: /proc/6634/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6741)	File: /proc/6741/mounts
Source: /usr/bin/dbus-daemon (PID: 6757)	File: /proc/6757/mounts
Source: /usr/bin/dbus-daemon (PID: 6862)	File: /proc/6862/mounts
Source: /usr/bin/dbus-daemon (PID: 6870)	File: /proc/6870/mounts

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /usr/share/gdm/generate-config (PID: 6440)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6623)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6864)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 6419)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6421)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6423)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6425)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6427)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6429)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6431)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6435)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6469)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior
Source: /bin/sh (PID: 6590)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6597)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6601)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6604)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6606)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6608)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6611)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6616)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6728)	Grep executable: /usr/bin/grep -> grep -F .utf8
Source: /bin/sh (PID: 6828)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6833)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6835)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6838)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6846)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6848)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6852)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6854)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6968)	Grep executable: /usr/bin/grep -> grep -F .utf8

Reads system information from the proc file system

Source: /lib/systemd/systemd-journald (PID: 6266)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6516)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6625)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6734)	Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6857)	Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6953)	Reads from proc file: /proc/meminfo

Enumerates processes within the "proc" file system

Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6870/status
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6870/attr/current
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6871/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6871/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6871/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6874/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6939/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/1/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6867/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6867/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6932/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6954/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6958/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6969/cmdline
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6241/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6241/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/125/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/125/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/4/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/126/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/126/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/248/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/248/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/127/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/127/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/128/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/128/cmdline	Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /lib/systemd/systemd (PID: 6850)

Systemctl executable: /bin/systemctl -> /bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/127/bus

Creates hidden files and/or directories

Source: /usr/bin/whoopsie (PID: 6323)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6399)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6474)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	Directory: /root/.cache	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6517)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6588)	Directory: /root/.cache	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6629)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6703)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6739)	Directory: /var/lib/gdm3/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 6744)	Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 6824)	Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 6867)	Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 6939)	Directory: /root/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	Directory: /root/.cache

Sample tries to set the executable flag

Source: /usr/sbin/gdm3 (PID: 6446)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6446)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6716)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 6716)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
Source: /usr/sbin/gdm3 (PID: 6954)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 6954)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)

Executes commands using a shell command-line interpreter

Source: /usr/bin/gpu-manager (PID: 6418)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6420)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6422)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6424)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6426)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6428)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6430)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6433)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6467)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6589)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6596)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6599)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6602)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6605)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6607)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6610)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6615)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6726)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "
Source: /usr/bin/gpu-manager (PID: 6827)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6832)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6834)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6837)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6845)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6847)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6851)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6853)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/share/language-tools/language-options (PID: 6966)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "

Source: /usr/sbin/rsyslogd (PID: 6406)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6406)	Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 6417)	Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6585)	Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6609)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6609)	Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6709)	Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6825)	Log file created: /var/log/gpu-manager.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6836)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6836)	Log file created: /var/log/auth.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6945)	Log file created: /var/log/kern.log	Jump to dropped file

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6328)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6440)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6522)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6635)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6759)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6864)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6871)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/6gIL6GLh9R (PID: 6234)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6266)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6323)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6328)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6404)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6406)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6417)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6470)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6516)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6517)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6522)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6585)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6600)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6609)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6625)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6629)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6635)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6707)	Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6709)	Queries kernel information via 'uname':
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6729)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6734)	Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 6744)	Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6759)	Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 6825)	Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6826)	Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6836)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6857)	Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 6867)	Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6871)	Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6944)	Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6945)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6953)	Queries kernel information via 'uname':

Deletes log files

Source: /usr/bin/gpu-manager (PID: 6417)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6585)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6825)	Truncated file: /var/log/gpu-manager.log

Source: syslog.276.dr	Binary or memory string: May 27 12:27:29 galassia kernel: [ 573.946562] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: syslog.39.dr	Binary or memory string: May 27 12:25:49 galassia kernel: [ 474.492901] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: 6gIL6GLh9R, 6234.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000007652a84d.0000000099d73801.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/6gIL6GLh9RSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6gIL6GLh9R
Source: syslog.39.dr	Binary or memory string: May 27 12:25:49 galassia kernel: [ 474.492847] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 6gIL6GLh9R, 6234.1.000000006be204e9.000000005ddec019.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000006be204e9.00000000f23d7612.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 6gIL6GLh9R, 6234.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000007652a84d.0000000099d73801.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: syslog.276.dr	Binary or memory string: May 27 12:27:29 galassia kernel: [ 573.946528] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 6gIL6GLh9R, 6234.1.000000006be204e9.000000005ddec019.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000006be204e9.00000000f23d7612.rw-.sdmp	Binary or memory string: orU!/etc/qemu-binfmt/arm

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	Logged in records file read: /var/log/wtmp	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	Logged in records file read: /var/log/wtmp
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	Logged in records file read: /var/log/wtmp

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 6gIL6GLh9R, type: SAMPLE

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 6gIL6GLh9R, type: SAMPLE

Screenshots

No Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
180.102.235.37	unknown	China	134756	CHINANET-NANJING-IDCCHINANETNanjingIDCnetworkCN	false
118.218.75.33	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	false
183.43.249.222	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
53.59.63.35	unknown	Germany	31399	DAIMLER-ASITIGNGlobalNetworkDE	false
85.239.107.103	unknown	Germany	16097	HLKOMM04107LeipzigDE	false
180.38.220.68	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
160.218.230.61	unknown	Czech Republic	5610	O2-CZECH-REPUBLICCZ	false
110.46.44.140	unknown	Korea Republic of	9845	CJCKN-AS-KRLGHelloVisionCorpKR	false
195.77.52.159	unknown	Spain	60493	FICOSA-ASES	false
117.248.227.5	unknown	India	9829	BSNL-NIBNationalInternetBackboneIN	false
168.224.103.243	unknown	United States	27435	OPSOURCE-INCUS	false
185.114.163.50	unknown	Ireland	34912	IFN-ASIE	false
66.142.12.181	unknown	United States	7018	ATT-INTERNET4US	false
164.69.149.11	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
41.37.22.59	unknown	Egypt	8452	TE-ASTE-ASEG	false
150.38.242.139	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
197.241.226.183	unknown	Angola	37081	movicel-asAO	false
77.197.0.249	unknown	France	15557	LDCOMNETFR	false
73.63.4.69	unknown	United States	7922	COMCAST-7922US	false
171.83.195.89	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
193.224.142.169	unknown	Hungary	1955	HBONE-ASHUNGARNETHU	false
149.119.66.93	unknown	United States	11872	SYRACUSE-UNIVERSITYUS	false
211.46.47.245	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
79.194.218.46	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
86.36.155.182	unknown	Qatar	47901	MEEZAQA	false
59.11.110.116	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
89.154.120.125	unknown	Portugal	2860	NOS_COMUNICACOESPT	false
196.82.255.189	unknown	Morocco	6713	IAM-ASMA	false
106.116.197.74	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
219.199.62.193	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
202.249.240.98	unknown	Japan	2506	SUPERCSINTTWESTCHUGOKUCORPORATIONJP	false
81.87.79.174	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
161.236.138.122	unknown	United States	396269	BPL-ASNUS	false
113.40.35.231	unknown	Japan	17506	UCOMARTERIANetworksCorporationJP	false
97.155.23.40	unknown	United States	6167	CELLCO-PARTUS	false
8.124.12.147	unknown	United States	3356	LEVEL3US	false
109.193.92.64	unknown	Germany	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
159.6.65.194	unknown	Canada	1906	NORTHROP-GRUMMANUS	false
27.242.146.18	unknown	Taiwan; Republic of China (ROC)	9674	FET-TWFarEastToneTelecommunicationCoLtdTW	false
72.8.160.227	unknown	United States	25761	STAMINUS-COMMUS	false
162.178.41.108	unknown	United States	21928	T-MOBILE-AS21928US	false
118.243.102.216	unknown	Japan	4685	ASAHI-NETAsahiNetJP	false
87.58.15.119	unknown	Denmark	3292	TDCTDCASDK	false
48.221.53.130	unknown	United States	2686	ATGS-MMD-ASUS	false
96.112.179.205	unknown	United States	7922	COMCAST-7922US	false
205.223.57.76	unknown	United States	32073	MCPS-K12-MD-US	false
41.169.50.109	unknown	South Africa	36937	Neotel-ASZA	false
73.74.56.155	unknown	United States	7922	COMCAST-7922US	false
1.34.218.58	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
75.156.126.48	unknown	Canada	852	ASN852CA	false
139.237.140.198	unknown	United States	1462	DNIC-ASBLK-01462-01463US	false
40.86.60.220	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
79.242.191.254	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
157.69.228.108	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
24.249.185.198	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
108.124.109.216	unknown	United States	10507	SPCSUS	false
124.25.151.81	unknown	Japan	2510	INFOWEBFUJITSULIMITEDJP	false
118.118.129.108	unknown	China	139220	CHINANET-SICHUAN-CHUANXI-IDCSichuanChuanxnIDCCN	false
165.161.203.135	unknown	United States	2381	WISCNET1-ASUS	false
17.152.116.13	unknown	United States	714	APPLE-ENGINEERINGUS	false
154.52.99.81	unknown	United States	174	COGENT-174US	false
178.165.242.98	unknown	Austria	25255	H3G-AUSTRIA-ASTELE2AUSTRIAAT	false
113.228.66.169	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
41.119.232.127	unknown	South Africa	16637	MTNNS-ASZA	false
41.254.158.144	unknown	Libyan Arab Jamahiriya	21003	GPTC-ASLY	false
63.10.95.67	unknown	United States	701	UUNETUS	false
119.18.52.5	unknown	India	394695	PUBLIC-DOMAIN-REGISTRYUS	false
204.187.191.249	unknown	Canada	27396	ASSOCI-BR-AS1US	false
84.46.116.225	unknown	Germany	15943	WTNET-ASwilhelmtelGmbHDE	false
164.205.168.226	unknown	United States	3303	SWISSCOMSwisscomSwitzerlandLtdCH	false
85.192.163.6	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
141.79.250.229	unknown	Germany	553	BELWUEBelWue-KoordinationEU	false
201.63.26.127	unknown	Brazil	10429	TELEFONICABRASILSABR	false
101.255.113.22	unknown	Indonesia	38511	TACHYON-AS-IDPTRemalaAbadiID	false
185.227.197.197	unknown	United Kingdom	207789	SUPERNET-ASPL	false
191.152.78.188	unknown	Colombia	26611	COMCELSACO	false
178.136.126.22	unknown	Ukraine	6703	ALKAR-ASUA	false
119.39.14.214	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
71.233.106.104	unknown	United States	7922	COMCAST-7922US	false
93.71.108.188	unknown	Italy	30722	VODAFONE-IT-ASNIT	false
23.119.46.253	unknown	United States	7018	ATT-INTERNET4US	false
219.135.58.124	unknown	China	134764	CT-FOSHAN-IDCCHINANETGuangdongprovincenetworkCN	false
164.19.161.193	unknown	Germany	29355	KCELL-ASKZ	false
57.159.115.221	unknown	Belgium	2686	ATGS-MMD-ASUS	false
216.61.127.70	unknown	United States	7018	ATT-INTERNET4US	false
41.225.247.253	unknown	Tunisia	37671	GLOBALNET-ASTN	false
70.134.116.5	unknown	United States	7018	ATT-INTERNET4US	false
213.65.121.58	unknown	Sweden	3301	TELIANET-SWEDENTeliaCompanySE	false
157.97.102.158	unknown	Netherlands	207161	US-PHXCH	false
57.37.31.230	unknown	Belgium	2686	ATGS-MMD-ASUS	false
110.57.233.194	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
153.210.55.36	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
99.70.156.74	unknown	United States	7018	ATT-INTERNET4US	false
78.51.203.229	unknown	Germany	6805	TDDE-ASN1DE	false
199.70.171.32	unknown	United States	7018	ATT-INTERNET4US	false
180.132.154.152	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
148.226.199.223	unknown	Mexico	7184	UniversidadVeracruzanaMX	false
31.47.209.241	unknown	Romania	49800	GNC-ALFAGNCAlfaCJSCRostelecomArmeniaAM	false
219.61.62.110	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
166.19.90.2	unknown	United States	206	CSC-IGN-AMERUS	false

Contacted Domains

Name	IP	Active
daisy.ubuntu.com	185.125.188.137	true

Name	Type	MD5	SHA1	SHA256
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink	ASCII text	FF001A15CE15CF062A3704CEA2991B5F	B06F6855F376C3245B82212AC73ADED55DFE5DEF	C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
/home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source	ASCII text	28FE6435F34B3367707BB1C5D5F6B430	EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6	721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
/memfd:30-systemd-environment-d-generator (deleted)	ASCII text	5EF9649F7C218F464C253BDC1549C046	07C3B1103F09E5FB0B4701E75E326D55D4FC570B	B4480A805024063034CB27A4A70BCA625C46C98963A39FE18F9BE2C499F1DA40
/memfd:user-environment-generators (deleted)	ASCII text	769AC00395ABDA061DA4777C87620B21	AC12A8E0EB413395C64577FA7E514626B8F8F548	75867CD2977A9A9AAB70E70CFEE3C20151F31C9B3CBDA4A81C06627C291D2C82
/proc/6481/oom_score_adj	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
/proc/6752/oom_score_adj	very short file (no magic)	CFCD208495D565EF66E7DFF9F98764DA	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
/run/gdm3.pid	ASCII text	5CD712A757A55321D4E6427CC91C6498	63FEC06FA0664ED017F0701948044A6A65297FE7	591EFA728521F61C544A906568E1BE89C60D1E1677CBFFDF2E32AC6F5B2657B0
/run/systemd/journal/streams/.#9:74907KcTgBY	ASCII text	8AD2792D96A400CCA39C5E43BDBD8B96	7B965E47333359DC4F225C0025B4AE11FE557EA8	A26C08C01AD78CBE7FC73D7545F32FA1657196169AF9C7620ECCBE20C185A642
/run/systemd/journal/streams/.#9:74908YhXtMZ	ASCII text	E68C1C27F7AEDB6C06DA056E084265C7	4A92F23F6D9E30E64BCB9ED6269377DA14288A58	FBB27EDAA70A0B0449BF6C531FE0DA91DDBC70E1C767042A946FB0739BF878D0
/run/systemd/journal/streams/.#9:75603XHnZJ2	ASCII text	50BAC3881EB19A2F54433CBEB8EB433A	808D88C4526231AC7AD232DC295585503D5302FC	34C3073BF5B5DCA65465D5EB00C1EFE13CEF1B694015C9F647DDB586C2D58BE4
/run/systemd/journal/streams/.#9:7560854UGWY	ASCII text	3E7CEDC4E66D5F2A51B1AE5DBC71639D	0A978D7C8528CB9CB3412814FFA59F2CDC40F2A3	F2A24676EFCC69EEC2C04C700B061D7329CDCFE8DFB52A769535DD696FDA16B1
/run/systemd/journal/streams/.#9:75648HSEZg1	ASCII text	6CBC06D67F4633B0467C3862F5EFA132	AF070ED8EEFE0FE0D2DD5D1F7F41D402BC6C4AF2	E34456275DF8769E7A3AEABF4FAF874962EE1D0B8F179979DC8CCE9A1872C970
/run/systemd/journal/streams/.#9:76282Q7faY0	ASCII text	E8ADCF92EA533ECDF84591BA6E954DA0	9CAFE73D6E352614D3D467051D7E46E34F0B859C	88122C84072171581242D50BD998292F1A47406DAA66C686A0F05D105F65F756
/run/systemd/journal/streams/.#9:762936Rtbh0	ASCII text	70121369CEDDEC2D2BA8CE967D7FEA6F	5D33305C74053D8DFDE6AD8F1EC5E7C2DA8EB9D4	D24BA4449BB666602BCC73D63417B446698881821EF07FF94E3C55902165AD3F
/run/systemd/journal/streams/.#9:763065qKD00	ASCII text	4BBFB0D87EF2CEF86D68D1F7A7C669DC	86AD68C13BB6ECEF57FE770B9EBD08372DF709C5	76BC93FF215AA33362CA5B667FF93088C0AE0C9B769680B3AFEFC9992D549BBF
/run/systemd/journal/streams/.#9:764607G7y91	ASCII text	622F9F17ECEC6DB0EEC692EF270ADAA4	CDB4B28770B3D46DEDA9D161AEE13A14955798EA	A7FC53501F9FC04AEC5DD95AB5087C5A5331A8899A79259775D5B52446FA361E
/run/systemd/journal/streams/.#9:764661C4G2Z	ASCII text	766EFB744F859B4F1004D16A2CDF4CD2	095D22949E00A3BAB260BD8265AF562DA595C908	7D2CF43E40CC67D915ED0A656D08D2DC5842D641E5B92BD114C1175E0C35CFA0
/run/systemd/journal/streams/.#9:76483yHLTc2	ASCII text	CE33B71C8E1BB27F0311BB6E86DDBE0A	7898C492307C466172B54091F9DE59D00FEE1298	F20D8CC651C202D2C801FF728FA0EB76B35D17CAC8620067318ADB70027EF784
/run/systemd/journal/streams/.#9:76734aHVBv1	ASCII text	31D9F3C21E466FF3F00E333906C5306E	20C0B04BEDF42D0053EF1BAD4AD8C932A34EE239	CBB2A1D5B10437B692BD3424D4D4E930E86C59CE742CADAF854AE41D2A9CEFDC
/run/systemd/journal/streams/.#9:76816EpIxf0	ASCII text	18794A8C95728F540A07AE98683B514C	AC41B24E019DB7D4C0E402A4B24ED3990FD61E3B	CFF506C66BDAD8389ED97A8EA1F348B5B164CE00D987F8A3CD8676825D121A29
/run/systemd/journal/streams/.#9:77222APHFD1	ASCII text	489F78D0D319339B71E33871DDE30EF3	F225B23D58FC1E7DCE924C7C20DD62C60EC5342F	62B7B975F8C2C207AC0793AA97293416B330A0634B6273F8EBDF65763141EF93
/run/systemd/journal/streams/.#9:77279rW8DKY	ASCII text	92D1CE9D7B0619CC1CD38C1DAD90FC5F	120C59EC41ADF50DBB60827417742EBA1CDAA767	2980D545AABAFBE3E49353BEB6C010CA89EE6FCFBD5C8AD86CF8095C38A56A93
/run/systemd/journal/streams/.#9:77281dKkVj1	ASCII text	4BBD2347C5937F3C13FB347CE58BA13F	729F75A4255F5076AFC9D0B3F42006826FB0058C	B94AE55011D81BD6E2351430E604D11230771070B9CB1DC834E2B64C63B5F783
/run/systemd/journal/streams/.#9:77313lTXDsZ	ASCII text	6F14BAE02B1B2AB333778DD3564372F4	76CC523ED8F12649F2A3038039069C011C32AEA6	C135CE4C0A5D2B43438FCE2D6AF7A8E460028736BBC6F5F8C3F5258A994DB4B4
/run/systemd/journal/streams/.#9:77318Ntn5G1	ASCII text	22B9ADC0F2DFC4C6E99B943EC617DD51	C40BF4C238292515587B93BBB8109CEDE39B84B2	A2D060D14E936317F743696D9AE9FF26B52608A0BDEA160274BB863445845255
/run/systemd/journal/streams/.#9:78530WYHCsW	ASCII text	C5B9713C89DD9C24A0111E44CE3CB4EF	BFACD472F82BB6736F1FFFD32106CF63ED6AC92F	469246BE512725BADA0D56483DCB0AB032A2EA473FBD90A924C8422116E4B595
/run/systemd/journal/streams/.#9:78659QmgUCT	ASCII text	A49E7DAD63FEE4ABBDB73D02D13BAB70	4A5A1BA9FC51CE6DFEF9F5D17DBFED57C8D51C0B	4AE424781F4977A3FFA3186F9AC6C04A9B43BAE907C238A44C68AEB66A0F8AD0
/run/systemd/journal/streams/.#9:79001nJ1kDW	ASCII text	DAE82F7298208B4BD09D57665C0B0628	E988F1D56243B76E5449987C79DD4F3A97FE623B	8F25B23E8771E2C878A20D46032AC7DF4BAB5A0290F95B5AE139D2E92E254AD4
/run/systemd/journal/streams/.#9:79003S5LcwW	ASCII text	8DF3E70CDA638BFD3F6FF0372FADF751	0B62FB403AAB1DCD14D305CE86072FA2754F45CB	90CBCDE4B630469A233B8D0F29D47E84FAE64B9BCB3D2825E9E9CDB550D9F840
/run/systemd/journal/streams/.#9:79018ws0pnV	ASCII text	7F08D7286263E4D43151740F05D100D9	5EED18E0272FFBCA0D63B9066B6EA8C6F6180843	0A2343373F2FE9261E48ED45166667F0B4C916935F555980942A7ACE85BB033B
/run/systemd/journal/streams/.#9:79019lZe3AV	ASCII text	FD31C54462D50DA9EFFC2258A83E20CF	FDAD855FC4A2CEBC38B0760D7BB62E0C74BF7374	E775A0A5CE27253D5DE9A341AD3B2240EED74996F79CEE0F0D6691008CB42B97
/run/systemd/journal/streams/.#9:790217VV9sT	ASCII text	CDD2FB151CB4E3EBA077229C934DD8E5	D56A0AD6153CBAF1571EBE33EB2176AB3C85217A	A56635C6D7102C64A1665F74F63F0BE3E61ED1F7E1FDCC063858624D2F2348E4
/run/systemd/journal/streams/.#9:79022JfbHJV	ASCII text	4FE7C3B451716CEABCC32B70C8A18FA6	668CD4B6FCEB96DC45D92A9D328D2B43003A5CE7	2EB5218438BD8F49A62F7496E610DD00DA03474D5722AE17BF5C856BC1EFDFE0
/run/systemd/journal/streams/.#9:79030m6EINU	ASCII text	6E3D53721B2356C12C47DCDC42C3AE70	BD43B073CDD76A4F8D3C2B6D7F6AB437A535EC53	FD3D93644E54430F46BCC8DA32D1562FCFBDB741044F42BB4D029FF8F5161DB5
/run/systemd/journal/streams/.#9:79564nzFwvb	ASCII text	88442B2258F9EB74F02E8BE8894B8B7C	D1A1251C5FE372812B18362E8B4EBA17EBFB4CAC	A047CF3AD0B0F60290C2E2D46EA686305A14BC0A485BC1A343A7FFDA7C5AAE5A
/run/systemd/journal/streams/.#9:7956573XpT7	ASCII text	E6DC17A092592BE7188DC5C536857FA1	BE2439E7531A075A6B0E942C3EB890D5567192DB	36585E322785B75F19A1E4756E58BE0182370004C65686AEB9C04775A00723D9
/run/systemd/journal/streams/.#9:79857UnSIRa	ASCII text	32392F3991221372150D31C906FD56FE	9519F327BB0C39EE20A854CF6442BA9F6F007122	633D10A2DF4B17AEB4EF44DC040E5F19434CAB2D5CC2176290AEB2519AB7F380
/run/systemd/journal/streams/.#9:80090sKzz08	ASCII text	C8918329C6F0EA7B1D41EF1942D49C95	8F7E753AC467795358010BC593B72A9B777F31E0	C672E3D1A2E740CE12FEA66039EC48C452F26FA948B1055C5B837C1FB647129B
/run/systemd/journal/streams/.#9:80198472PP9	ASCII text	FC736B7322C27A1D8DBA060DEFD6DB0C	C7018B32FB988250E263407D0CE115C143BB15EB	862CAB661DD7E400F1ACDAEBF1ACDCD2A82B27B21EBD36FECB734A57BB48D7BB
/run/systemd/journal/streams/.#9:80199VfwKE7	ASCII text	882288AB4AD7E3209042CE7ACACF52D7	ECDC7191720DDCAE1AE901D042BA8BC1E2395C4E	7850B7272AEA7D0A9B53DA2E643890A3A948005E276434CC5D55B17F59B67306
/run/systemd/journal/streams/.#9:80200qaQNp8	ASCII text	BE3FC0D84119F6A477A7CD3597655582	ECC37A1618C37C519A0A20B0BE0FBFDD661A328D	E69B9328E72F2A2E1A67288379A7724995CF8C3EABBF1703B951545928E341A3
/run/systemd/journal/streams/.#9:80209AuLRP7	ASCII text	41C59D685BDAE53B5C23596E6AEA6DC3	491D1DE80D94E9D04DF5C80E52F84C7D161A8D8A	16DAB394D07D87EB1DC29D6239558FD84CDEC260EA6BE1FF00D9B67B1B241F9F
/run/systemd/journal/streams/.#9:802193mvth7	ASCII text	0103B520BC419128E6E142801A348C5C	5B9B20496D211C0C75C4FE6A8F97A56F97D163FB	B800533FE75F9C43882CA9A02FA77E4A868006487780C38932C162A70EECC53E
/run/systemd/journal/streams/.#9:802203bqbDb	ASCII text	0A61363B4E019EB6642A79733FD61B63	39CF0A36D2A1D15C141B1F5CE4BFC28EAEA038E0	0C3553D2FBB42D00D3A1FBFD898BCEE479BCD772341D99BB3281A526DCA342FC
/run/systemd/journal/streams/.#9:802233Oj4f7	ASCII text	92AB50431D6AD655C0AFC9838513B85A	ED33EE288D5BA88AC91EDF4D75806EA2353AF24C	DF26F87A3EFA7CDD08D6045BCAB3DA1441A13A686C77521F1959E1D69858D074
/run/systemd/journal/streams/.#9:80224CxNR98	ASCII text	14CE2961560BE28AE89615D2153C0DA4	BFA5DCC14C0FA759F90CA21987916C0A31B81CFC	A9A8407CB1CD1A8E4A9BA159204FF4F6BAB7C9E89787DD6F8D0645B2BD222372
/run/systemd/journal/streams/.#9:80267qBNDd8	ASCII text	65924A4EFD1525E70B2BCDC380599F54	44EDF2498AE3C02DF2ABED0F9622E28A88F20F8A	8AD7B8F5EE5DDFDE06AD162345D60969B903B1A074435E0AE4405CBEAC759E81
/run/systemd/journal/streams/.#9:80268tMiLn8	ASCII text	5FB61F2200FE2E0007A7F585B0C94EEE	491A31932CCF17ACBAB5898EB8EAA73C673D7A36	F54B6BC80A353FE112F6EAF7908A3628AEA97670BDC5BBC0326A59B087FE26D9
/run/systemd/journal/streams/.#9:80302VjkqN8	ASCII text	EDB8AB3483D728EC584DF08608B5256A	0DD4270F2EE5D422DD8ED77305B3875844C87395	349A098CD397B3D898C70187C3CA79678AF80C2AE550B7EE38F0A3EC86245425
/run/systemd/journal/streams/.#9:8030363hRo8	ASCII text	2E9F0E579CB17552770D865B0238D218	61CC78AF3F92BF7E29303FD63952B0C85F73EC69	9CB59E86D83F4FB61D9F1C5957F447DB9D806BA17E49308276F391FE59F21F2C
/run/systemd/journal/streams/.#9:80839bdrb2m	ASCII text	50E1128110703569D7E6A19D30CCB670	4AF45D924ECA4FD58BBAACBC48FACC8E392745E9	5EDBB54D1FF0278ABAFBA3FC5C0AF4748F7652F77E9662CFE49E2B19ACA36E4A
/run/systemd/journal/streams/.#9:80840LUNoBq	ASCII text	DC3000C2B188988F205528BADC05C2E4	DADA5889CBB70B126DAE559035E710D705FB3D3C	000239FD9FEE162B0F40681AEE079189F3C52AA048370C21AABDABCCB90B3CBC
/run/systemd/journal/streams/.#9:80855OOJ4Dn	ASCII text	B427D93DBF8F28C5003CB075004FF621	559D1EFC1F29BFDD16069F1C7E6F887CBFF4F8D5	A6A8A1E9CC77960419344E72A3D0B7C925E480B0C6FD1B0A3EC4996C9D4600FB
/run/systemd/journal/streams/.#9:80859HMYFwq	ASCII text	1B1DC6AE37AED03516B9827DCEA88BAB	A665429B485088C44FDCAFB15BF204D2DFF86FCC	60276FF79D0FC0EB241B5CF109EFD02C604942C70943436D641A84F98DAB66A0
/run/systemd/journal/streams/.#9:808605vy5in	ASCII text	6D80B4C1B2864E610053D6EBFC8633AC	80818B8CD85A55334BEE516002CAB18FCDBD46C5	CB62C8ACAEFC878DC73E030DA6B7CF89C1618B8CBE4A9432BDDAE28A50D15B3E
/run/systemd/journal/streams/.#9:80862wtapQo	ASCII text	DD297C637695AA5BC385004EF01CC767	10DB0B9C355C0E3D81AD56DD9EAF45A68F739FE9	38BDB824F1E83300595888A80EE360A4A0EAB31CD46ABD9FA719749DAC1936F8
/run/systemd/journal/streams/.#9:80883sZlfko	ASCII text	ABFDA797A724536F0704D801634791EA	8541B8F7AEC891C55E54357301F382632E67561C	AD2E98D6BA386C7BD27B2DEE524FA862E97162F34ED728AAB922D25C15B62505
/run/systemd/journal/streams/.#9:827030qQjuG	ASCII text	5138B603F55A59C17EC272403C2DBDD6	E79371B929B6ED8D4D2D0203868305B754C74452	535827157C43AE95047A264B79F8FFE10B3BCBE55E9BBE498B48A5BFAF3F416F
/run/systemd/journal/streams/.#9:82718WqsSvI	ASCII text	D0158156F9F4686D653D79ABB42B8F09	720FA84F5630A30454EA59D74820AF5589968F18	BBC5CD41520695D7F498C798AAC070398A0EFE74D7356D30F98D46E519FC519B
/run/systemd/journal/streams/.#9:827193ofILI	ASCII text	1F495C848FBC721ECCEA983EDAB97B76	7456E6CA26F9A311434C0422EEB59DFC3BF081B7	A1899F45311EB87BE955A5D8021F6C2C3B859D4CA08BA06FE5C6392BA3C618DE
/run/systemd/journal/streams/.#9:827207EgvPE	ASCII text	02C5608DEBDD7FFCA2506886EA3FC4C9	C6885D9A12C3DF113124313A35A0A9BCD29DF7DE	8C49795C2CB880FD2AE95C01F85CB697D0D9BA1F4CE438C98E0B51C5D118C291
/run/systemd/journal/streams/.#9:82727hvCtjG	ASCII text	C9335E657B81AAD2F767A733F93C74B6	0D315F69DF5FCD945B0018B8390E9E3968207458	D2B4A06010090109BB770C4BCFD1B46A5C9F6CAE7FB87FF5A3E0B1BABF8FA583
/run/systemd/journal/streams/.#9:82728h0VebH	ASCII text	C0AFE999F0F194146AF4F4E7A0757633	797C398AA0A7D8837122E006B2C0CE5FBBA17143	FA3A742DD23687C5C1D94F9E0B51165466730C84101B4BE855CAF760B198C8B1
/run/systemd/journal/streams/.#9:83247c0XgpF	ASCII text	0FC21405482DC9AC329BF3880618C003	5866EEFA2513A265FE93285E241EBA865E45E6CB	B2138735480B43B5906105451DC01A3A28A78235F3A94752B2E7C23E893A25ED
/run/systemd/journal/streams/.#9:83253FjLj8H	ASCII text	7B0FA91AEEE9897AC41B125164C270E1	2418FCC8287525DD853958086F419A41D57C76A5	F805ED927707C9ABC313F2C49B228671B5BE8C204D7AB0EBF87DAF7D09EFAF95
/run/systemd/journal/streams/.#9:83261ZcxUvF	ASCII text	7A7C21D0F31329BBC3447875600D41E1	DB68FFF6CC14221E167D6F6F4B30DACBC3C0ADB7	C6DBB7DAE9B8598B984DDFBF37B69B8D73006986E626F99B48F55D9A16BDAA64
/run/systemd/journal/streams/.#9:83262gCngnG	ASCII text	3E2326A702AEFDD98C61F7492ABF5024	F52E96A1DBA19F3C490FD825D5AD18C70D0E261B	6D89CD2221A0E994FB29ADF6A58F84616C785A0260946E899B9FAF3D5E1564FC
/run/systemd/journal/streams/.#9:83266nuezcG	ASCII text	879A08A4F1B4A40A43747BC9C9CD3F70	3EA03F0A4F9F3B1215C543FE8F7CDE07A0E778AA	24410C4A408A0653B50165FE1A2F730ECDCE91F89A26B0622C786C460A23FCEB
/run/systemd/journal/streams/.#9:83267NgGHuF	ASCII text	4413D2817AD56DF8F3BECCEAE3E122C8	DED47202085D0B7B739937EF9C3DA3A81B3FC9AA	3CD03D1B205B2BFF11F6D0D3AEA0D2BB36E07880D62196B513ABC44FA2C89F77
/run/systemd/journal/streams/.#9:83278jQCkRE	ASCII text	C360BF3A5D2BEBBDB0D81D513B7D4630	47A2711417AC3904A3682DB243C08FEB1B85694A	C0455CC7DAA03B79FC16748079A539ECECC36E0ABEB74D6A6DFE17B218826088
/run/systemd/journal/streams/.#9:83282jOZ5RF	ASCII text	43C352A4062F3A5DF24D1E695112EB4B	B033CCB1C9741C554C8D603A716D68EAD57607BB	9E8EA74932D69C8E660A3E5EEBA0E3C2984C2DB4500B3C2FEEF0EC161C33E55A
/run/systemd/journal/streams/.#9:83283Xq186I	ASCII text	82553DFA9788387D5A270208F63C8A5B	B0DAA345756C286A623899C7CBC6E92143FF2A17	53717E235306E1C16E1635AAF85BA98500363490BD61172207194BF871BE96BF
/run/systemd/journal/streams/.#9:83285dCfHGG	ASCII text	738AC965E460E380CE98BE22C4571308	3B042C06D340B1A22B3258582C5B281C910FC6E4	DE5985F010DC0C75CA0B2E7E6EC73B821EF1742D63EE44D7BF60863FACBB55D2
/run/systemd/journal/streams/.#9:83286ahPRoI	ASCII text	BA46ADB002CAFC4006E1D4D2B4ED271E	56CB0744921D24A07EC4642BF079F747FB1BD63A	25B1B6DFBC564CFA94ACB0FAC2030101D017D688CB09C8F3037FEB00C3C76164
/run/systemd/seats/.#seat0HzP17k	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/seats/.#seat0K16fYl	ASCII text	66D114877B3B4DB3BDD8A3AD4F5E7421	62E0CB0F51E0E3F97BE251CB917968DFF69ED344	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
/run/systemd/seats/.#seat0M9T2qZ	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/seats/.#seat0YpYzkE	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/seats/.#seat0i6qGpk	ASCII text	66D114877B3B4DB3BDD8A3AD4F5E7421	62E0CB0F51E0E3F97BE251CB917968DFF69ED344	A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
/run/systemd/seats/.#seat0xn76yi	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/seats/.#seat0zs0y8u	ASCII text	BE58CCABC942125F5E27AF6EB1BA2F88	07C20F55E36EE48869B223B8FC4DBC227C7353AC	551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
/run/systemd/users/.#1279ZRaxm	ASCII text	3043BC334C7C57B6CABA3121500B8E9D	193E56024CAC8329A7C258484B51669806E93310	5D0799DF0A1348F1AAB8448F8C01B3023C3C9973CA73E2283447984A26492AA7
/run/systemd/users/.#127LT7oLo	ASCII text	3043BC334C7C57B6CABA3121500B8E9D	193E56024CAC8329A7C258484B51669806E93310	5D0799DF0A1348F1AAB8448F8C01B3023C3C9973CA73E2283447984A26492AA7
/run/systemd/users/.#127NKcwVk	ASCII text	065A3AD1A34A9903F536410ECA748105	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
/run/systemd/users/.#127TdX6Hj	ASCII text	88763323D24C89CE91784B40371C54E8	91CCCEE0BBD10427D1DC0EF28470C8F020A456E4	4DD206EFC365A4C220ACBAA12CA14D17F277A0E26D7F677644549D5DF534733D
/run/systemd/users/.#127TeLMik	ASCII text	78EF9F08D467122FBA1C2320BD2C4376	D34CEC674B1DF774E9ABD102E5802957DA42784A	81CEABA78F8AA2B7013C55FC273F817FE7E2D3E4AC364F41B22D38802A9A8817
/run/systemd/users/.#127Z4vyKh	ASCII text	2561494588880983AF11B4BD115C4AEA	1F9622DD201A33532DE55989972E88F4EF71C50F	AA7000336804949EAB5142774B1315808DED719EA0DF23584C5CDC3B98BF8215
/run/systemd/users/.#127pU3buh	ASCII text	88763323D24C89CE91784B40371C54E8	91CCCEE0BBD10427D1DC0EF28470C8F020A456E4	4DD206EFC365A4C220ACBAA12CA14D17F277A0E26D7F677644549D5DF534733D
/run/systemd/users/.#127qAetKk	ASCII text	065A3AD1A34A9903F536410ECA748105	21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4	E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
/run/user/1000/pulse/pid	ASCII text	818C3BCDBAF932AFF312D307C2B95BEA	444E97188D46D5B39E1144F65171D7B3D3CF6753	5BA2453FC8EEBE437288A5EF853FD8DC9EFE12C8F5787096AE69FE5BC231DD01
/run/utmp	data	9A96B4FF89AB3E33DE0EDADCAA77AD88	2F67989EA0CFE69A7643FEB9BD659723759FA514	F115897B98EE5598CD232C309B362800AEE88228F0398E017C7782DF2507E892
/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/dbus.socket/cgroup.procs	ASCII text	592A4842482043A345DC1EABF0A133EE	5B757BE7D95EC2C75743E690F74543D8D4FEE383	5D0030BF29CD44BF88EB0A33E420CB63F558521C32EEE62E83908E428EE87B18
/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/init.scope/cgroup.procs	ASCII text	D42926E2BDCFD114E459F7593B702A4D	474184DCED313BF7E0D301476328B9B45491E0B9	FA241C13A3F0C0CB9243F064D30261455383D3A58BC035E4EDA3B64BB21052C0
/sys/fs/cgroup/systemd/user.slice/user-127.slice/user@127.service/pulseaudio.service/cgroup.procs	ASCII text	D99CDD252A1119E2628F3935886462EE	B1AC744BDED178509E7F022502734F157053D581	6E5238491E098B183D112FC5EDCD10E474563222D5034F7D0499AE0F3B9CEE4E
/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/dbus.socket/cgroup.procs	ASCII text	592A4842482043A345DC1EABF0A133EE	5B757BE7D95EC2C75743E690F74543D8D4FEE383	5D0030BF29CD44BF88EB0A33E420CB63F558521C32EEE62E83908E428EE87B18
/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/init.scope/cgroup.procs	ASCII text	D42926E2BDCFD114E459F7593B702A4D	474184DCED313BF7E0D301476328B9B45491E0B9	FA241C13A3F0C0CB9243F064D30261455383D3A58BC035E4EDA3B64BB21052C0
/sys/fs/cgroup/unified/user.slice/user-127.slice/user@127.service/pulseaudio.service/cgroup.procs	ASCII text	D99CDD252A1119E2628F3935886462EE	B1AC744BDED178509E7F022502734F157053D581	6E5238491E098B183D112FC5EDCD10E474563222D5034F7D0499AE0F3B9CEE4E
/tmp/qemu-open.kCThj6 (deleted)	ASCII text	97C0CEB7F5169ADDDF05F9240B2F490F	91819D873E5228DF3B5EE691A5FF6CF138C93DD7	BA45F6A96BDB728452BC83E39B6D296A309439B48E10EC84257920DF047508B4
/var/crash/_usr_bin_light-locker.1000.uploaded	ASCII text	CA35C56C0C379F292F8FAB68B3A19F61	7998C16A75224F0EAA4EA6F96689A3B6A879751C	21726C10DCF9E11A1BC65FFAB39BB4DF9A068D87D16F1946D8F54D44860395A5
/var/lib/AccountsService/users/gdm.GDQ4M1	ASCII text	542BA3FB41206AE43928AF1C5E61FEBC	F56F574DAF50D609526B36B5B54FDD59EA4D6A26	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
/var/lib/AccountsService/users/gdm.P6TUM1	ASCII text	542BA3FB41206AE43928AF1C5E61FEBC	F56F574DAF50D609526B36B5B54FDD59EA4D6A26	730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
/var/lib/ubuntu-drivers-common/last_gfx_boot	ASCII text	078760523943E160756979906B85FB5E	0962643266F4C5537F7D125046F28F21D6DD0C89	048416AC7A9A99690B8B53718CD39F32F637B55CC8DD8E67E58E5AEF060DD41C
/var/lib/whoopsie/whoopsie-id.DVSVM1	ASCII text, with no line terminators	D2B5AAF22916F8D6665CF9E835EAD5E7	AAEF3CE527B8F1E3733BCD03EF7A6C0F30881E15	FEB925D4465BF6D30A42B19112406AD1B59BA90673DC4F91B25005A90FEFEB36
/var/lib/whoopsie/whoopsie-id.E7YEN1	ASCII text, with no line terminators	D2B5AAF22916F8D6665CF9E835EAD5E7	AAEF3CE527B8F1E3733BCD03EF7A6C0F30881E15	FEB925D4465BF6D30A42B19112406AD1B59BA90673DC4F91B25005A90FEFEB36
/var/lib/whoopsie/whoopsie-id.ISY8M1	ASCII text, with no line terminators	D2B5AAF22916F8D6665CF9E835EAD5E7	AAEF3CE527B8F1E3733BCD03EF7A6C0F30881E15	FEB925D4465BF6D30A42B19112406AD1B59BA90673DC4F91B25005A90FEFEB36
/var/lib/whoopsie/whoopsie-id.LMZBN1	ASCII text, with no line terminators	D2B5AAF22916F8D6665CF9E835EAD5E7	AAEF3CE527B8F1E3733BCD03EF7A6C0F30881E15	FEB925D4465BF6D30A42B19112406AD1B59BA90673DC4F91B25005A90FEFEB36
/var/lib/whoopsie/whoopsie-id.Z7OTM1	ASCII text, with no line terminators	D2B5AAF22916F8D6665CF9E835EAD5E7	AAEF3CE527B8F1E3733BCD03EF7A6C0F30881E15	FEB925D4465BF6D30A42B19112406AD1B59BA90673DC4F91B25005A90FEFEB36
/var/log/auth.log	ASCII text	047BD3613C46A048489CD87AF74B4762	6C0376B6BDDE9E73237F056CB81FC6985E5051C6	12BA1C0879B4C3FDFADCF239E78AAF6565BDFC7FF298414C562DE55416465176
/var/log/gpu-manager.log	ASCII text	3AF77E630DA00B3BE24F4E8AA5D78B13	BCF2D99E002F6DE2413A183227B011CFBEF5673D	EB1CBBA20845237B4409274D693FEAE13F835274DA3337B7A9D14F4D7FDF9DEA
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal	data	7D032646791C1FBDDB06645B3E04A640	AD5CB4AFC67A2F87F7A72FBD6605CAE91EA732A3	981A78316055D054FE4F04E5266681BEEB5B554F81DA44A6B0427E6AC00811FD
/var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal	data	ECE8F1B1420903CD5FA11B0E0AE643E5	5B618D15BDE1E292379F2C7E3D85CE64DAD9F326	649C4FF43B124EDCA0884A5321E9190E11200E2E22A2CF9BBDD7465BB8A2623E
/var/log/kern.log	ASCII text	A07946C65883028288850AE509926744	0713F432038C1F2DEF6E9AB98F762D5B5B6DCDB1	44C003329F310DAB432B03270A02F7B9B9BBA0A9577443727CBDCAF931096BEF
/var/log/syslog	ASCII text	0D41280527A4455A4D3226A9E8994F5C	B3DD5980D2CA41A0E5C206C2238CB5A9D5404BA8	0B0EA1D5AA06BBD9EEC0DDEAFBFEC797AB8C3AACD2F239CD8DDA3B63C54D42BC
/var/log/wtmp	data	9A96B4FF89AB3E33DE0EDADCAA77AD88	2F67989EA0CFE69A7643FEB9BD659723759FA514	F115897B98EE5598CD232C309B362800AEE88228F0398E017C7782DF2507E892

AV Detection

Multi AV Scanner detection for submitted file

Source: 6gIL6GLh9R

Virustotal: Detection: 55%

Perma Link

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6328)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6440)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6522)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6635)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6759)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6864)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6871)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.23:48298 -> 45.142.122.121:63645
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 107.79.25.102:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.231.99.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.100.138.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.175.227.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 83.162.197.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 138.6.47.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 179.78.195.217:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 140.254.83.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.67.144.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 101.203.212.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.138.206.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.126.56.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 182.99.171.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 90.129.129.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.26.223.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 174.14.213.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 150.20.214.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 184.92.81.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.114.133.106:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 70.16.130.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.144.87.120:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 175.44.51.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 36.82.214.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.82.117.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.78.162.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 221.101.184.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.238.13.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.173.203.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.233.140.200:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.200.31.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 221.112.75.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 58.42.120.131:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.138.223.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.28.52.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.102.12.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 115.34.58.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 145.88.87.235:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.96.72.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 76.179.1.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 202.8.204.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 81.171.243.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.255.208.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 62.31.84.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.239.221.119:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.219.221.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.218.39.188:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 41.85.0.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.224.184.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 64.254.173.66:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 17.82.34.255:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 169.213.92.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 17.217.45.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 135.101.37.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.243.234.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 88.78.12.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 109.93.0.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.128.244.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.167.168.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 70.175.4.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.61.34.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 150.102.162.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.211.60.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.238.94.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.38.54.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.240.34.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.116.144.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.204.35.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.253.73.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.217.243.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.14.152.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 149.136.134.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.251.133.95:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 130.191.165.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 53.7.57.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.148.102.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 222.247.143.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 177.98.104.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 167.120.152.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 201.226.126.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 120.82.85.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.112.41.41:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.203.129.158:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.203.87.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 5.86.73.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 72.198.235.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.98.144.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 157.48.66.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.209.192.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.213.222.129:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.26.199.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.134.17.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.98.208.72:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 162.77.180.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.234.156.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.39.80.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.243.157.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 5.192.35.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.62.207.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.104.17.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.56.230.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 100.34.130.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 90.77.179.243:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 169.254.110.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 220.22.94.43:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 168.114.234.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 13.76.114.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.143.141.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 223.173.39.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.70.231.69:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 196.41.4.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.219.175.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 70.166.115.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.145.208.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 102.144.195.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 39.51.162.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 80.34.149.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.207.59.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.140.62.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 173.50.114.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.248.159.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 5.98.65.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 158.24.65.9:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 194.34.50.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 193.249.7.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 74.136.74.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.30.107.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.215.96.153:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 18.17.68.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 68.197.94.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 169.77.132.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.140.122.49:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 198.131.127.82:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.180.245.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 95.51.247.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 20.205.0.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 181.167.102.136:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.201.32.244:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.107.17.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 205.120.169.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.254.33.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.47.233.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.51.184.12:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 186.17.46.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 180.207.159.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.44.147.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.213.228.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 121.169.103.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 109.112.68.73:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.157.179.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 194.236.243.173:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 62.227.219.202:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 216.3.211.211:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.27.242.6:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.182.42.44:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 39.31.66.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.8.74.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.93.133.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.52.27.167:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 218.31.204.24:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.203.144.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.244.65.142:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.9.203.226:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 23.182.132.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 130.230.139.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 191.49.202.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 189.86.61.29:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 205.122.178.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 188.40.38.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.133.249.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 103.150.195.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.174.204.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 100.12.204.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 95.48.114.39:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 101.173.141.220:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 185.81.28.207:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.44.199.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.175.208.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 174.101.115.14:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 20.196.94.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 195.202.127.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 174.222.115.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.101.199.96:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 206.242.23.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.103.83.113:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.7.142.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 88.245.147.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 177.9.245.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.2.39.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.151.227.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 198.129.9.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.198.203.121:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.51.202.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 210.139.240.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.151.41.32:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 36.181.218.139:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 65.188.137.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 43.246.189.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.231.214.135:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 34.194.99.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.162.102.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.205.174.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.21.218.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 195.88.117.230:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.109.250.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.73.15.18:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 13.51.41.137:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.73.162.99:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 208.73.198.33:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 159.7.246.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 31.237.93.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 202.188.219.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 210.112.123.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 86.66.56.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.62.55.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 182.96.188.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.93.32.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 27.25.176.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.227.192.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.103.105.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 162.216.48.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.99.153.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 160.204.32.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 103.223.238.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 13.230.56.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 77.255.17.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 181.159.78.186:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 142.242.163.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.55.201.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 69.119.26.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 171.195.145.181:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 201.74.202.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.217.120.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.140.54.163:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 197.15.7.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 23.217.57.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.133.168.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.105.118.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.159.174.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.179.63.45:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.249.185.198:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 12.48.47.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 74.5.93.152:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 126.38.87.16:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 145.116.196.229:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.32.204.15:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 146.143.170.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 157.87.202.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.178.14.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 53.231.219.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.202.215.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 138.242.211.196:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.36.91.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 173.57.42.107:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 199.49.51.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 149.254.40.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 202.110.105.75:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.206.57.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 108.188.96.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 67.40.29.179:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 220.141.28.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.161.42.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 71.213.76.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.101.65.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.70.242.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 68.224.189.19:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 220.48.73.246:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 47.25.184.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 184.125.63.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 40.23.235.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 97.214.76.68:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.181.185.215:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 45.17.1.86:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.201.118.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 152.68.162.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.203.144.233:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.187.184.182:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.241.126.101:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 119.189.203.100:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 48.249.56.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.15.206.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 92.239.186.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.198.251.115:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.166.56.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 44.255.64.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 73.177.95.147:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 168.218.88.93:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.71.224.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.53.41.212:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 120.134.223.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 89.12.30.205:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 218.123.233.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 23.42.68.83:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.139.151.1:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.32.237.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 1.139.232.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 148.88.92.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 107.108.44.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 197.169.5.130:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.78.153.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 35.255.59.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 62.43.230.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.27.118.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.103.54.190:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 81.231.197.144:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.137.37.149:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.191.122.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.16.223.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 74.235.241.34:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.111.0.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.128.18.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.1.220.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 65.211.221.65:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 179.141.40.209:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.138.101.206:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 216.102.53.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 211.35.219.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.241.19.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.247.132.30:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 197.143.50.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.202.161.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.34.76.77:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.154.247.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.224.148.110:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 170.200.126.199:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 171.32.55.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 84.178.149.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 35.219.248.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 117.188.248.254:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.47.3.216:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 158.40.74.105:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 80.63.254.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 9.36.93.128:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 87.242.168.7:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 75.159.200.224:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 213.180.42.48:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.54.45.159:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.205.111.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 42.60.92.35:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 187.159.53.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 37.0.217.70:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.27.77.74:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 104.242.3.27:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.111.170.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 79.119.11.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.225.144.191:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.188.166.76:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 58.222.64.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.103.238.123:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 54.129.166.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.2.129.177:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.118.230.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.27.212.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 184.220.238.54:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 153.93.108.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.161.24.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 82.129.103.201:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.44.207.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 222.150.105.52:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 48.159.56.127:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 126.83.76.148:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.28.183.20:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.160.224.140:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 57.178.24.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 65.123.244.8:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 47.92.124.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 89.187.75.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 180.65.235.50:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 14.169.173.25:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 94.215.157.13:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 173.7.94.85:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 207.135.11.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 44.219.203.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 193.101.235.122:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 46.241.112.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.14.130.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 104.169.80.180:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 206.56.151.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 216.235.35.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.101.246.118:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 183.184.92.247:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.64.170.71:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 104.220.248.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.215.139.197:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 155.21.46.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.169.58.154:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 34.86.108.62:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 72.157.211.219:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 8.138.20.251:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 166.53.95.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 51.3.42.252:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.107.64.21:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 135.82.72.240:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 95.184.135.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.37.40.111:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 203.169.177.208:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 119.39.14.214:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 85.239.165.51:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 129.13.21.124:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.137.211.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.116.184.55:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 165.25.247.157:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 148.155.219.63:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 198.68.40.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.253.101.28:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 164.24.115.175:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 108.163.214.231:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 102.5.78.146:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 200.18.18.61:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 221.124.68.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 31.99.33.88:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 162.43.182.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 175.227.29.114:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 86.19.19.42:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.65.145.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 161.176.93.108:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.102.138.161:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 128.12.66.238:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 59.240.111.228:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.137.173.143:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 66.58.25.37:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 212.66.173.249:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 79.105.233.64:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 152.195.222.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 204.39.130.169:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 156.94.224.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.220.55.162:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 171.252.135.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.92.69.116:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 116.115.229.17:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 133.136.6.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 63.139.0.104:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 190.252.123.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 151.153.254.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 157.4.92.194:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 199.254.204.5:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 142.75.39.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 106.78.55.248:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 160.251.226.133:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.35.242.94:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 193.173.180.151:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 209.118.183.239:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 45.245.192.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 38.24.61.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 130.17.244.97:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 80.149.246.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 124.197.166.0:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 99.88.89.22:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 83.31.47.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.151.18.210:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 111.151.27.59:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.227.225.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 96.118.253.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 4.183.146.38:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 12.176.255.125:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 81.122.246.221:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 113.196.182.31:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 78.119.238.156:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.107.158.84:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 213.195.58.225:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 9.8.1.145:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 68.3.135.242:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 163.162.180.227:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 2.106.31.223:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 89.63.243.232:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 102.216.229.10:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 118.16.182.78:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.61.205.165:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 8.31.94.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 19.227.190.132:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 124.17.15.250:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 179.233.214.187:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 105.184.201.103:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 117.199.116.150:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 160.123.247.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 136.249.34.80:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.32.6.236:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 219.162.131.91:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 121.134.161.204:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.218.127.3:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 123.214.77.166:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 24.162.214.176:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 32.174.147.237:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.205.74.185:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 90.85.131.47:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 115.178.168.23:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 93.138.52.203:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 114.79.130.109:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 61.42.125.117:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 180.34.54.98:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 91.7.36.189:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 8.36.146.134:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 143.239.156.56:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 124.165.198.193:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 110.243.227.138:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 154.200.91.155:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 112.70.29.183:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 88.39.103.126:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 178.52.112.245:2323
Source: global traffic	TCP traffic: 192.168.2.23:30675 -> 222.150.39.98:2323

Sample listens on a socket

Source: /tmp/6gIL6GLh9R (PID: 6234)	Socket: 127.0.0.1::59025	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6266)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6446)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6476)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6516)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6625)	Socket: <unknown socket type>:unknown	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6716)	Socket: <unknown socket type>:unknown
Source: /usr/bin/dbus-daemon (PID: 6741)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6734)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd (PID: 6737)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6857)	Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6953)	Socket: <unknown socket type>:unknown
Source: /usr/sbin/gdm3 (PID: 6954)	Socket: <unknown socket type>:unknown

Source: unknown	Network traffic detected: HTTP traffic on port 38114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38114
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 45.142.122.121
Source: unknown	TCP traffic detected without corresponding DNS query: 107.79.25.102
Source: unknown	TCP traffic detected without corresponding DNS query: 181.245.73.225
Source: unknown	TCP traffic detected without corresponding DNS query: 2.206.108.228
Source: unknown	TCP traffic detected without corresponding DNS query: 95.164.211.235
Source: unknown	TCP traffic detected without corresponding DNS query: 195.180.89.24
Source: unknown	TCP traffic detected without corresponding DNS query: 19.50.204.108
Source: unknown	TCP traffic detected without corresponding DNS query: 115.248.186.220
Source: unknown	TCP traffic detected without corresponding DNS query: 177.6.206.91
Source: unknown	TCP traffic detected without corresponding DNS query: 193.238.121.217
Source: unknown	TCP traffic detected without corresponding DNS query: 193.13.144.14
Source: unknown	TCP traffic detected without corresponding DNS query: 189.231.99.149
Source: unknown	TCP traffic detected without corresponding DNS query: 98.242.41.107
Source: unknown	TCP traffic detected without corresponding DNS query: 194.74.73.110
Source: unknown	TCP traffic detected without corresponding DNS query: 162.128.150.197
Source: unknown	TCP traffic detected without corresponding DNS query: 59.62.12.31
Source: unknown	TCP traffic detected without corresponding DNS query: 45.245.39.84
Source: unknown	TCP traffic detected without corresponding DNS query: 182.134.162.53
Source: unknown	TCP traffic detected without corresponding DNS query: 76.176.149.177
Source: unknown	TCP traffic detected without corresponding DNS query: 167.111.176.148
Source: unknown	TCP traffic detected without corresponding DNS query: 183.4.196.207
Source: unknown	TCP traffic detected without corresponding DNS query: 92.100.138.80
Source: unknown	TCP traffic detected without corresponding DNS query: 60.70.14.210
Source: unknown	TCP traffic detected without corresponding DNS query: 85.200.121.61
Source: unknown	TCP traffic detected without corresponding DNS query: 181.220.188.236
Source: unknown	TCP traffic detected without corresponding DNS query: 154.149.237.185
Source: unknown	TCP traffic detected without corresponding DNS query: 38.224.174.229
Source: unknown	TCP traffic detected without corresponding DNS query: 157.133.208.50
Source: unknown	TCP traffic detected without corresponding DNS query: 42.89.80.60
Source: unknown	TCP traffic detected without corresponding DNS query: 176.186.164.33
Source: unknown	TCP traffic detected without corresponding DNS query: 71.175.227.66
Source: unknown	TCP traffic detected without corresponding DNS query: 212.172.168.140
Source: unknown	TCP traffic detected without corresponding DNS query: 54.28.139.34
Source: unknown	TCP traffic detected without corresponding DNS query: 139.169.109.29
Source: unknown	TCP traffic detected without corresponding DNS query: 179.165.30.22
Source: unknown	TCP traffic detected without corresponding DNS query: 122.0.44.225
Source: unknown	TCP traffic detected without corresponding DNS query: 192.47.235.238
Source: unknown	TCP traffic detected without corresponding DNS query: 111.117.236.251
Source: unknown	TCP traffic detected without corresponding DNS query: 83.162.197.152
Source: unknown	TCP traffic detected without corresponding DNS query: 19.147.220.62
Source: unknown	TCP traffic detected without corresponding DNS query: 175.194.114.227
Source: unknown	TCP traffic detected without corresponding DNS query: 17.53.208.37
Source: unknown	TCP traffic detected without corresponding DNS query: 204.213.105.45
Source: unknown	TCP traffic detected without corresponding DNS query: 68.61.54.83
Source: unknown	TCP traffic detected without corresponding DNS query: 206.68.231.186
Source: unknown	TCP traffic detected without corresponding DNS query: 166.80.117.144
Source: unknown	TCP traffic detected without corresponding DNS query: 217.148.46.178
Source: unknown	TCP traffic detected without corresponding DNS query: 85.152.124.166
Source: unknown	TCP traffic detected without corresponding DNS query: 138.6.47.41
Source: unknown	TCP traffic detected without corresponding DNS query: 81.208.145.71

Source: syslog.276.dr, syslog.206.dr, syslog.168.dr, syslog.39.dr, syslog.332.dr

String found in binary or memory: https://www.rsyslog.com

Source: unknown

DNS traffic detected: queries for: daisy.ubuntu.com

System Summary

Contains symbols with names commonly found in malware

Source: ELF static info symbol of initial sample	Name: attack.c
Source: ELF static info symbol of initial sample	Name: attack_app.c
Source: ELF static info symbol of initial sample	Name: attack_get_opt_int
Source: ELF static info symbol of initial sample	Name: attack_get_opt_ip
Source: ELF static info symbol of initial sample	Name: attack_get_opt_str
Source: ELF static info symbol of initial sample	Name: attack_gre.c
Source: ELF static info symbol of initial sample	Name: attack_gre_eth
Source: ELF static info symbol of initial sample	Name: attack_gre_ip
Source: ELF static info symbol of initial sample	Name: attack_init
Source: ELF static info symbol of initial sample	Name: attack_method_http

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6049, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6194, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6199, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6266, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6323, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6327, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6328, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6404, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6406, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6516, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6517, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6520, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6522, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6526, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6600, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6609, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6624, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6625, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6629, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6634, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6635, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6641, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6707, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6709, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6734, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6737, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6744, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6757, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6762, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6826, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6836, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6857, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6862, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6867, result: successful	Jump to behavior

Yara signature match

Source: 6gIL6GLh9R, type: SAMPLE	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6237.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6240.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6237.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6240.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6234.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6242.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6242.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6236.1.0000000024c9a23c.00000000c094cd33.rw-.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13
Source: 6236.1.0000000065830d93.00000000a6543536.r-x.sdmp, type: MEMORY	Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), score = , modified = 2022-05-13

Sample tries to kill a process (SIGKILL)

Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 491, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 658, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 720, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 721, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 761, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 772, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 774, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 777, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 785, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 793, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1334, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1335, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1344, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1860, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1872, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 1886, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 2048, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6049, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6194, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6199, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6237, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6242, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6266, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6323, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6327, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6328, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6404, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6406, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6516, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6517, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6520, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6522, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6526, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6600, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6609, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6624, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6625, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6629, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6634, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6635, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6641, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6707, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6709, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6734, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6737, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6744, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6757, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6759, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6762, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6826, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6836, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6857, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6862, result: successful	Jump to behavior
Source: /tmp/6gIL6GLh9R (PID: 6241)	SIGKILL sent: pid: 6867, result: successful	Jump to behavior

Sample contains symbols with suspicious names

Source: ELF static info symbol of initial sample	Name: scanner.c
Source: ELF static info symbol of initial sample	Name: scanner_init
Source: ELF static info symbol of initial sample	Name: scanner_kill
Source: ELF static info symbol of initial sample	Name: scanner_pid
Source: ELF static info symbol of initial sample	Name: scanner_rawpkt

Source: classification engine

Classification label: mal72.spre.troj.lin@0/161@7/0

Persistence and Installation Behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /usr/bin/dbus-daemon (PID: 6327)	File: /proc/6327/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6476)	File: /proc/6476/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6483)	File: /proc/6483/mounts	Jump to behavior
Source: /bin/fusermount (PID: 6493)	File: /proc/6493/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6520)	File: /proc/6520/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6624)	File: /proc/6624/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6634)	File: /proc/6634/mounts	Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6741)	File: /proc/6741/mounts
Source: /usr/bin/dbus-daemon (PID: 6757)	File: /proc/6757/mounts
Source: /usr/bin/dbus-daemon (PID: 6862)	File: /proc/6862/mounts
Source: /usr/bin/dbus-daemon (PID: 6870)	File: /proc/6870/mounts

Executes the "kill" or "pkill" command typically used to terminate processes

Source: /usr/share/gdm/generate-config (PID: 6440)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6623)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service	Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6864)	Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service

Executes the "grep" command used to find patterns in files or piped streams

Source: /bin/sh (PID: 6419)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6421)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6423)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6425)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6427)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6429)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6431)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6435)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6469)	Grep executable: /usr/bin/grep -> grep -F .utf8	Jump to behavior
Source: /bin/sh (PID: 6590)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6597)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6601)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6604)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6606)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6608)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6611)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf	Jump to behavior
Source: /bin/sh (PID: 6616)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf	Jump to behavior
Source: /bin/sh (PID: 6728)	Grep executable: /usr/bin/grep -> grep -F .utf8
Source: /bin/sh (PID: 6828)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6833)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nvidia[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6835)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6838)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.radeon[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6846)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6848)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.amdgpu[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6852)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6854)	Grep executable: /usr/bin/grep -> grep -G ^blacklist.nouveau[[:space:]]$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6968)	Grep executable: /usr/bin/grep -> grep -F .utf8

Reads system information from the proc file system

Source: /lib/systemd/systemd-journald (PID: 6266)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6516)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6625)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6734)	Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6857)	Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6953)	Reads from proc file: /proc/meminfo

Enumerates processes within the "proc" file system

Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6870/status
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6870/attr/current
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6871/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6871/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6871/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6874/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6939/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/1/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6867/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6867/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6932/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6954/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6958/cmdline
Source: /usr/bin/dbus-daemon (PID: 6870)	File opened: /proc/6969/cmdline
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6241/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6241/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/125/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/125/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/4/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/126/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/126/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/248/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/248/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/6/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/127/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/127/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/128/status	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	File opened: /proc/128/cmdline	Jump to behavior

Executes the "systemctl" command used for controlling the systemd system and service manager

Source: /lib/systemd/systemd (PID: 6850)

Systemctl executable: /bin/systemctl -> /bin/systemctl --user set-environment DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/127/bus

Creates hidden files and/or directories

Source: /usr/bin/whoopsie (PID: 6323)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6399)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6474)	Directory: /var/lib/gdm3/.cache	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	Directory: /root/.cache	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6517)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6588)	Directory: /root/.cache	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6629)	Directory: /nonexistent/.cache	Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6703)	Directory: /root/.cache	Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 6739)	Directory: /var/lib/gdm3/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 6744)	Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 6824)	Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 6867)	Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 6939)	Directory: /root/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	Directory: /root/.cache

Sample tries to set the executable flag

Source: /usr/sbin/gdm3 (PID: 6446)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6446)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6716)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 6716)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
Source: /usr/sbin/gdm3 (PID: 6954)	File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 6954)	File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)

Executes commands using a shell command-line interpreter

Source: /usr/bin/gpu-manager (PID: 6418)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6420)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6422)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6424)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6426)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6428)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6430)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6433)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6467)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6589)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6596)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6599)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6602)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6605)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6607)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6610)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6615)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"	Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6726)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "
Source: /usr/bin/gpu-manager (PID: 6827)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6832)	Shell command executed: sh -c "grep -G \"^blacklist.nvidia[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6834)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6837)	Shell command executed: sh -c "grep -G \"^blacklist.radeon[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6845)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6847)	Shell command executed: sh -c "grep -G \"^blacklist.amdgpu[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6851)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6853)	Shell command executed: sh -c "grep -G \"^blacklist.nouveau[[:space:]]$\" /lib/modprobe.d/*.conf"
Source: /usr/share/language-tools/language-options (PID: 6966)	Shell command executed: sh -c "locale -a \| grep -F .utf8 "

Source: /usr/sbin/rsyslogd (PID: 6406)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6406)	Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 6417)	Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6585)	Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6609)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6609)	Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6709)	Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6825)	Log file created: /var/log/gpu-manager.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6836)	Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6836)	Log file created: /var/log/auth.log	Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6945)	Log file created: /var/log/kern.log	Jump to dropped file

Reads CPU information from /sys indicative of miner or evasive malware

Source: /usr/bin/pulseaudio (PID: 6328)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6440)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6522)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 6623)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6635)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6759)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6864)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6871)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Uses the "uname" system call to query kernel version information (possible evasion)

Source: /tmp/6gIL6GLh9R (PID: 6234)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6266)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6323)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6328)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6404)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6406)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6417)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6470)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6516)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6517)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6522)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6585)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6600)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6609)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6625)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/whoopsie (PID: 6629)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6635)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/agetty (PID: 6707)	Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6709)	Queries kernel information via 'uname':
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6729)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6734)	Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 6744)	Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6759)	Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 6825)	Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6826)	Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6836)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6857)	Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 6867)	Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6871)	Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6944)	Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6945)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6953)	Queries kernel information via 'uname':

Deletes log files

Source: /usr/bin/gpu-manager (PID: 6417)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6585)	Truncated file: /var/log/gpu-manager.log	Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6825)	Truncated file: /var/log/gpu-manager.log

Source: syslog.276.dr	Binary or memory string: May 27 12:27:29 galassia kernel: [ 573.946562] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: syslog.39.dr	Binary or memory string: May 27 12:25:49 galassia kernel: [ 474.492901] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: 6gIL6GLh9R, 6234.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000007652a84d.0000000099d73801.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/6gIL6GLh9RSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/6gIL6GLh9R
Source: syslog.39.dr	Binary or memory string: May 27 12:25:49 galassia kernel: [ 474.492847] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 6gIL6GLh9R, 6234.1.000000006be204e9.000000005ddec019.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000006be204e9.00000000f23d7612.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: 6gIL6GLh9R, 6234.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000007652a84d.0000000099d73801.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000007652a84d.0000000099d73801.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: syslog.276.dr	Binary or memory string: May 27 12:27:29 galassia kernel: [ 573.946528] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 6gIL6GLh9R, 6234.1.000000006be204e9.000000005ddec019.rw-.sdmp, 6gIL6GLh9R, 6236.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6237.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6240.1.000000006be204e9.00000000f23d7612.rw-.sdmp, 6gIL6GLh9R, 6242.1.000000006be204e9.00000000f23d7612.rw-.sdmp	Binary or memory string: orU!/etc/qemu-binfmt/arm

Language, Device and Operating System Detection

Reads system files that contain records of logged in users

Source: /usr/lib/accountsservice/accounts-daemon (PID: 6452)	Logged in records file read: /var/log/wtmp	Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6720)	Logged in records file read: /var/log/wtmp
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6958)	Logged in records file read: /var/log/wtmp

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: 6gIL6GLh9R, type: SAMPLE

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: 6gIL6GLh9R, type: SAMPLE

ID:	635071
Product:	CloudBasic
Start time:	12:24:05
Start date:	27.05.2022
Sample:	6gIL6GLh9R
Cookbook:	defaultlinuxfilecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX
MD5:	6dfcca37a6b1468fcaf3addab827b850
SHA1:	d96baef8427ad98a42e418e49fbcf440b173fc3a
SHA256:	eed19f89eba4f0ca0b1f7ef5f02080b5839f076652aeb277c59e3b6e85f18c4a
Filetype:	ELF Executable and Linkable format (generic) (4004/1) 100.00%

Linux Analysis Report
6gIL6GLh9R

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report 6gIL6GLh9R

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Network Map

Contacted Public IPs

Contacted Domains

Linux Analysis Report
6gIL6GLh9R