Linux Analysis Report
Aqua.x86.elf

Overview

General Information

Sample name: Aqua.x86.elf
Analysis ID: 1436480
MD5: ff28225786d34c80a0c06fc7a0e60418
SHA1: 96005068b383fde958d7c566f2ffdc08e39f5b55
SHA256: 171e584ef2993836ad346bc8d6b70377139617aa928b5617387c23f2a906fa40
Infos:

Detection

Mirai
Score: 92
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sends malformed DNS queries
Creates hidden files and/or directories
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Found strings indicative of a multi-platform dropper
HTTP GET or POST without a user agent
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads system version information
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Aqua.x86.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: Aqua.x86.elf ReversingLabs: Detection: 60%
Source: Aqua.x86.elf Virustotal: Detection: 54% Perma Link
Machine Learning detection for sample
Source: Aqua.x86.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6495) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6760) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6858) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7023) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7115) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7281) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7370) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7535) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7551) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7666) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7756) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7853) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7861) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7976) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7975) Reads CPU info from /sys: /sys/devices/system/cpu/online
Found strings indicative of a multi-platform dropper
Source: Aqua.x86.elf String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff/fdsocket/proc/%s/stat/proc/proc/%d/exe/proc/%d/stat%d %s %c %d/proc/%d/maps/var/run/mnt/root/var/tmp/boot/bin/sbin/../(deleted)/homedbgmpslmipselmipsarmarm4arm5arm6arm7sh4m68kx86x586x86_64i586i686ppcspc[locker] killed process: %s ;; pid: %d

Networking
barindex
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: net.kovey-net.lol. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:50012 -> 89.190.156.145:7733
Source: global traffic TCP traffic: 192.168.2.23:53014 -> 94.156.8.76:33966
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/sbin/rsyslogd (PID: 6393) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6492) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6594) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6672) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6761) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6770) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6868) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6936) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7017) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7027) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7120) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7130) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7197) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7278) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7283) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7377) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7451) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7533) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7540) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7569) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7641) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7662) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7766) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7835) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7857) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7887) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7957) Reads hosts file: /etc/hosts
Sample listens on a socket
Source: /lib/systemd/systemd-journald (PID: 6664) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6875) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 7135) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 7199) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 7388) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 7452) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 7581) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 7774) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 7890) Socket: <unknown socket type>:unknown
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol. [malformed]
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknown HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue
Source: syslog.518.dr String found in binary or memory: https://www.rsyslog.com
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 37650
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 37632
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 37632 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 37650 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: Aqua.x86.elf PID: 6217, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6220, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6191, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6193, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6381, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6391, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6392, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6393, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6480, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6481, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6483, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6492, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6493, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6040, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6570, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6584, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6592, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6594, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6595, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6604, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6664, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6669, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6671, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6672, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6673, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6758, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6759, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6761, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6764, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6766, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6770, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6864, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6864, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6865, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6738, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6787, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6859, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6867, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6868, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6869, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6873, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6875, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6878, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6935, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6936, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6937, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6941, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6943, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7017, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7018, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7021, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7022, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7005, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7027, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7028, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7119, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7119, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7120, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7121, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6942, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7038, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7116, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7122, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7123, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7130, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7131, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7135, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7138, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7195, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7196, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7197, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7198, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7200, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7275, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7278, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7279, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7280, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7264, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7282, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7283, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7284, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7374, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7374, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7375, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7377, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7199, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7297, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7371, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7383, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7384, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7385, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7388, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7391, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7448, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7449, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7450, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7451, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7470, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7532, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7533, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7513, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7536, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7540, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7542, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7550, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7551, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7565, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7565, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7452, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7455, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7569, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7570, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7575, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7576, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7577, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7578, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7641, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7642, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7648, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7643, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7662, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7663, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7666, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7581, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7687, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7759, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7760, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7765, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7766, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7770, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7772, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7773, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7835, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7836, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7837, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7841, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7834, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7853, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7856, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7857, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7774, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7777, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7875, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7880, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7883, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7884, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7885, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7886, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7887, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7951, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7952, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7953, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7954, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7957, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6220, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6191, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6193, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6381, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6391, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6392, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6393, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6480, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6481, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6483, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6492, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6493, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6040, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6570, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6584, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6592, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6594, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6595, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6604, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6664, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6669, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6671, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6672, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6673, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6758, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6759, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6761, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6764, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6766, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6770, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6864, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6864, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6865, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6738, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6787, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6859, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6867, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6868, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6869, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6873, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6875, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6878, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6935, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6936, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6937, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6941, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6943, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7017, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7018, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7021, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7022, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7005, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7027, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7028, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7119, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7119, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7120, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7121, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 6942, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7038, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7116, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7122, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7123, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7130, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7131, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7135, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7138, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7195, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7196, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7197, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7198, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7200, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7275, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7278, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7279, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7280, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7264, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7282, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7283, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7284, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7374, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7374, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7375, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7377, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7199, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7297, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7371, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7383, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7384, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7385, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7388, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7391, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7448, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7449, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7450, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7451, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7470, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7532, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7533, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7513, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7536, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7540, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7542, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7550, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7551, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7565, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7565, result: no such process Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7452, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7455, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7569, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7570, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7575, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7576, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7577, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7578, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7641, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7642, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7648, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7643, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7662, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7663, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7666, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7581, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7687, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7759, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7760, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7765, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7766, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7770, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7772, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7773, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7835, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7836, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7837, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7841, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7834, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7853, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7856, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7857, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7774, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7777, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7875, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7880, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7883, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7884, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7885, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7886, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7887, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7951, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7952, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7953, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7954, result: successful Jump to behavior
Source: /tmp/Aqua.x86.elf (PID: 6219) SIGKILL sent: pid: 7957, result: successful Jump to behavior
Yara signature match
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: Aqua.x86.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: Aqua.x86.elf PID: 6217, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: classification engine Classification label: mal92.spre.troj.evad.linELF@0/242@87/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 6381) File: /proc/6381/mounts Jump to behavior
Source: /bin/fusermount (PID: 6469) File: /proc/6469/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6483) File: /proc/6483/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6570) File: /proc/6570/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6671) File: /proc/6671/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6766) File: /proc/6766/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6869) File: /proc/6869/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6937) File: /proc/6937/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 7018) File: /proc/7018/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 7028) File: /proc/7028/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 7121) File: /proc/7121/mounts
Source: /usr/bin/dbus-daemon (PID: 7131) File: /proc/7131/mounts
Source: /usr/bin/dbus-daemon (PID: 7198) File: /proc/7198/mounts
Source: /usr/bin/dbus-daemon (PID: 7279) File: /proc/7279/mounts
Source: /usr/bin/dbus-daemon (PID: 7284) File: /proc/7284/mounts
Source: /usr/bin/dbus-daemon (PID: 7449) File: /proc/7449/mounts
Source: /usr/bin/dbus-daemon (PID: 7542) File: /proc/7542/mounts
Source: /usr/bin/dbus-daemon (PID: 7550) File: /proc/7550/mounts
Source: /usr/bin/dbus-daemon (PID: 7570) File: /proc/7570/mounts
Source: /usr/bin/dbus-daemon (PID: 7642) File: /proc/7642/mounts
Source: /usr/bin/dbus-daemon (PID: 7663) File: /proc/7663/mounts
Source: /usr/bin/dbus-daemon (PID: 7759) File: /proc/7759/mounts
Source: /usr/bin/dbus-daemon (PID: 7836) File: /proc/7836/mounts
Source: /usr/bin/dbus-daemon (PID: 7856) File: /proc/7856/mounts
Source: /usr/bin/dbus-daemon (PID: 7880) File: /proc/7880/mounts
Source: /usr/bin/dbus-daemon (PID: 7884) File: /proc/7884/mounts
Source: /usr/bin/dbus-daemon (PID: 7951) File: /proc/7951/mounts
Source: /usr/bin/dbus-daemon (PID: 7968) File: /proc/7968/mounts
Creates hidden files and/or directories
Source: /usr/libexec/gsd-rfkill (PID: 6220) Directory: <invalid fd (9)>/.. Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 6220) Directory: <invalid fd (8)>/.. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6225) Directory: <invalid fd (10)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6406) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6406) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6406) File: /run/systemd/seats/.#seat0Agar0y Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6468) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6503) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6503) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6503) File: /run/systemd/seats/.#seat0QcedNX Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6604) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6604) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) File: /run/systemd/journal/streams/.#9:776024RFuB6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) File: /run/systemd/journal/streams/.#9:77607i4gyA7 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) File: /run/systemd/journal/streams/.#9:77658jaAc43 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) File: /run/systemd/journal/streams/.#9:776749o9vr4 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) File: /run/systemd/journal/streams/.#9:777159I7sw8 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) File: /run/systemd/journal/streams/.#9:77717hCyxL5 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6679) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6679) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6679) File: /run/systemd/seats/.#seat0rQn9Je Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:802893ADqhH Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80291LtqeaF Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80292D63jNG Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80293XsfVgI Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:803009d0jmJ Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80310ZcbNTF Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:8039452SV2H Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80400t7Ob8G Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80413OMP7CG Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:809866YJ7gH Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:80999KA8oBH Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:81020v3NefF Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) File: /run/systemd/journal/streams/.#9:8075082DBOG Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6787) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6787) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6787) File: /run/systemd/seats/.#seat0sCeOxp Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6878) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6878) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82925tQzjF5 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82927siTly5 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82928ErXC95 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82929IueoJ9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82930YXsEd7 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82932RO1FM9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82933gpRzs5 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82934Q68Do9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:82935577FO8 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:829427L1Ba6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:839763iTuW6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:83985r1JfF9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:83986HsCdy8 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:840014CbPW6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:841121NCpg8 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:84196l0iKj5 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File: /run/systemd/journal/streams/.#9:84302OtkXD5 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6948) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6948) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6948) File: /run/systemd/seats/.#seat0avZZVB Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 7038) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7038) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7038) File: /run/systemd/seats/.#seat0hi5PIp
Source: /lib/systemd/systemd-logind (PID: 7138) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7138) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85622N2duvA
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:856234LLoRw
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85624FnFSxx
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85625OdLpNy
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85626QWS1Wy
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85636vdlIoA
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85637hrOvay
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85638KbXiEw
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:856395GHBhA
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85646pUqUtz
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85656TuW4Dx
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85657ymSMYy
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:85679dlIS2x
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:83923yx45uA
Source: /lib/systemd/systemd-journald (PID: 7199) File: /run/systemd/journal/streams/.#9:86167qY3UJz
Source: /lib/systemd/systemd-logind (PID: 7207) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7207) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7207) File: /run/systemd/seats/.#seat0kF3Eu9
Source: /lib/systemd/systemd-logind (PID: 7297) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7297) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7297) File: /run/systemd/seats/.#seat08uFqrZ
Source: /lib/systemd/systemd-logind (PID: 7391) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7391) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:883176hHlkI
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88324Z5H1mI
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88325k1njnH
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88326BH0sSE
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:883274A4eTG
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88328g9qcLF
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88329vVMkWF
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88330hPr4mE
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:883311L4LRF
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88346karOXE
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:883557Y11dG
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:883562ynZGE
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88374aIve1G
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88392gakFkH
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88423x3yJOI
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88593nNBVpG
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88689nlFgjI
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88690RBCL8F
Source: /lib/systemd/systemd-journald (PID: 7452) File: /run/systemd/journal/streams/.#9:88766pW9JpH
Source: /lib/systemd/systemd-logind (PID: 7455) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7455) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7455) File: /run/systemd/seats/.#seat02GrLPV
Source: /usr/lib/policykit-1/polkitd (PID: 7557) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89633QMBiRs
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89635ZbOg6s
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89636Adn9Np
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89637XteHFs
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89638WL2iRr
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89641LcovQr
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:896433U1Yfp
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:896447CUG7s
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:8965512s2bp
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89662kYZV8r
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89672yu0BQr
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89673tpINXq
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89676uWgrSr
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89677n77Dgs
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89730LKaHCt
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:897502OiUxp
Source: /lib/systemd/systemd-journald (PID: 7581) File: /run/systemd/journal/streams/.#9:89804rpUhEs
Source: /lib/systemd/systemd-logind (PID: 7584) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7584) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7584) File: /run/systemd/seats/.#seat011EhSE
Source: /usr/lib/policykit-1/polkitd (PID: 7655) Directory: /root/.cache
Source: /lib/systemd/systemd-logind (PID: 7687) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7687) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7687) File: /run/systemd/seats/.#seat0U6Jzit
Source: /usr/lib/policykit-1/polkitd (PID: 7749) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91847RdeSc0
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:918510LqXr0
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91852gsca61
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91854SkoNU2
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91864oa0ha1
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91866BvPFn1
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:918732FGH9Z
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91880WKTZQ0
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91891nuqg40
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91892awJaZ0
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91894fZ63g1
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:91990Tj4ug4
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:92053thSdd3
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:93192sBlYc0
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:93249ggDQA0
Source: /lib/systemd/systemd-journald (PID: 7774) File: /run/systemd/journal/streams/.#9:93250JaEgG1
Source: /lib/systemd/systemd-logind (PID: 7777) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7777) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7777) File: /run/systemd/seats/.#seat0NpeR8e
Source: /usr/lib/policykit-1/polkitd (PID: 7871) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94442oGqPaO
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:944430UYE7M
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94445Ae3nbN
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94452Jro49O
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94525MV1W7O
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94526a10EBN
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94532S047aO
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:945337WdPHL
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94534R2fr1L
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94535VvMNcM
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94544X3e88P
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94545jeE9YM
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94546MY0jSL
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:94547VeYpMP
Source: /lib/systemd/systemd-journald (PID: 7890) File: /run/systemd/journal/streams/.#9:945481S9GHL
Source: /lib/systemd/systemd-logind (PID: 7893) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7893) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7893) File: /run/systemd/seats/.#seat04drsv2
Enumerates processes within the "proc" file system
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7651/cmdline
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7584/cmdline
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7642/status
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7642/attr/current
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7655/cmdline
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/1/cmdline
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7648/cmdline
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7647/cmdline
Source: /usr/bin/dbus-daemon (PID: 7642) File opened: /proc/7647/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/22/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/22/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/23/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/23/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/24/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/24/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/25/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/25/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/26/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/26/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/6/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/6/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/9/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/9/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/20/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/20/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/21/status
Source: /usr/bin/pkill (PID: 7281) File opened: /proc/21/cmdline
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7121/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7120/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7123/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7017/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7028/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7027/cgroup Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/comm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/cmdline Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/status Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/attr/current Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/sessionid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/loginuid Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) File opened: /proc/7038/cgroup Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 6482) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6487) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6490) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6740) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6743) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6746) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6748) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6750) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6752) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6754) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6756) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6773) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6778) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6780) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6782) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6844) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6847) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6851) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6853) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7006) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7008) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7011) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7014) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7019) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7095) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7098) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7100) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7102) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7106) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7108) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7110) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7112) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7265) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7267) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7271) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7273) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7276) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7290) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7292) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7354) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7357) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7359) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7361) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7365) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7367) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7518) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7520) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7523) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7528) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7530) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7661) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7667) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7672) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7674) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7679) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7681) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7745) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7752) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7842) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7847) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7849) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7851) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7854) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7858) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7955) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7958) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7966) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7971) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 6484) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6489) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6491) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6741) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6744) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6747) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6749) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6751) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6753) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6755) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6757) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6774) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6779) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6781) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6783) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6845) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6849) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6852) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6854) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 7007) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 7010) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 7012) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 7015) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 7020) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 7096) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7099) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7101) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7105) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7107) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7109) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7111) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7113) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7266) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7268) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7272) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7274) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7277) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7291) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7293) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7355) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7358) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7360) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7362) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7366) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7368) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7519) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7521) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7524) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7529) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7531) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7664) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7668) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7673) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7676) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7680) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7682) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7746) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7754) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7845) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7848) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7850) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7852) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7855) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7956) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7959) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7967) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7973) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 6495) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6760) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6858) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 7023) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 7115) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7281) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7370) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7535) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7756) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7861) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7976) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 6664) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6875) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 7135) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7199) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7388) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7452) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7581) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7774) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7890) Reads from proc file: /proc/meminfo
Reads system version information
Source: /sbin/agetty (PID: 6480) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6493) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6673) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6764) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 7005) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 7264) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7513) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7643) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7834) Reads version info: /etc/issue
Sample tries to set the executable flag
Source: /usr/sbin/gdm3 (PID: 6584) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 6584) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6393) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6393) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6492) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6492) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6594) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6594) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6672) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6737) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6770) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6770) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 6771) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6868) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6936) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7027) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7027) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 7034) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 7120) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7130) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7197) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7283) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7283) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 7289) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 7377) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7451) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7540) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7540) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7569) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7641) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 7660) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 7662) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7662) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7766) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7835) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7857) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7857) Log file created: /var/log/auth.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 7957) Log file created: /var/log/kern.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.x86.elf (PID: 6218) File: /tmp/Aqua.x86.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 6481) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6737) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6771) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6943) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7034) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7200) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7289) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7470) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7660) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7841) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7953) Truncated file: /var/log/gpu-manager.log
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6495) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6760) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6858) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7023) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7115) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7281) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7370) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7535) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7551) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7666) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7756) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7853) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7861) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7976) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7975) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /lib/systemd/systemd-hostnamed (PID: 6225) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6393) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6480) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6492) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6493) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6594) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6664) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6672) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6673) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6737) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6738) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6761) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6764) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6770) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6771) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6868) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6875) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6936) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6942) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 7005) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7017) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7027) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7034) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7120) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7130) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7135) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7197) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7199) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7264) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7278) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7283) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 7289) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7377) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7385) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7388) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7451) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7452) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7513) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7533) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7540) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7551) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7569) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7581) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7641) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7643) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 7660) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7662) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7666) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7766) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7774) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7834) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7835) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7853) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7857) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7887) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7890) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7957) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7975) Queries kernel information via 'uname':
Source: syslog.33.dr Binary or memory string: May 5 13:37:45 galassia kernel: [ 409.772143] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: syslog.33.dr Binary or memory string: May 5 13:37:45 galassia kernel: [ 409.772118] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: Aqua.x86.elf, type: SAMPLE
Source: Yara match File source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Aqua.x86.elf PID: 6217, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: Aqua.x86.elf, type: SAMPLE
Source: Yara match File source: 6217.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Aqua.x86.elf PID: 6217, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.213.35.24
 unknown United States
41231 CANONICAL-ASGB false
94.156.8.76
 net.kovey-net.lol Bulgaria
43561 NET1-ASBG true
89.190.156.145
 unknown United Kingdom
7489 HOSTUS-GLOBAL-ASHostUSHK false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true
net.kovey-net.lol 94.156.8.76 true
net.kovey-net.lol. [malformed] unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e false
    		high