Loading ...

Play interactive tourEdit tour

Analysis Report finspy.sh

Overview

General Information

Sample Name:finspy.sh
Analysis ID:1250217
MD5:bd212fcdf3138b5c1dd890098f16f51e
SHA1:a85e4c8c2afa4da357d2209535c4140bd9809617
SHA256:1e9162cd0941557304a6a097dfaadf59f90bc8bbaa9879afe67b5ce0d1514be8

Detection

FinSpy
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Yara detected FinSpy
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Opens /sys/class/net/* files useful for querying network interface information
Sample deletes itself
Searches for processes related to Bluetooth scanning
Searches for processes related to IMSI grabbing
Searches for processes related to WiFI attacking
Writes ELF files to hidden directories
Creates hidden files and/or directories
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "grep" command used to find patterns in files or piped streams
Executes the "ps" command used to list the status of processes
Executes the "rm" command used to delete files or directories
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Sample contains strings that are potentially command strings
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk

Classification

Startup

  • system is lnxcentos1
  • sh (PID: 3246, Parent: 3183, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: /bin/sh /tmp/finspy.sh
    • sh New Fork (PID: 3249, Parent: 3246)
      • sh New Fork (PID: 3252, Parent: 3249)
      • od (PID: 3252, Parent: 3249, MD5: 39105419a1e5a2d87eb8c61465a59c93) Arguments: od -j4 -N1 -An -t u1
      • sh New Fork (PID: 3253, Parent: 3249)
      • tr (PID: 3253, Parent: 3249, MD5: d395baaa4f54446576b2ccd7b96f764d) Arguments: tr -d " "
    • sh New Fork (PID: 3256, Parent: 3246)
      • sh New Fork (PID: 3259, Parent: 3256)
      • grep (PID: 3259, Parent: 3256, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep --text --line-number ^__x64xx__$ /tmp/finspy.sh
      • sh New Fork (PID: 3260, Parent: 3256)
      • cut (PID: 3260, Parent: 3256, MD5: efc6d453911f2a7118d4d8afb42aee00) Arguments: cut -d : -f 1
    • sh New Fork (PID: 3265, Parent: 3246)
    • tail (PID: 3265, Parent: 3246, MD5: 2f9dc46f27039ede203b1086e6fe5657) Arguments: tail -n +10905 /tmp/finspy.sh
    • sh New Fork (PID: 3311, Parent: 3246)
    • chmod (PID: 3311, Parent: 3246, MD5: 5a67425617564cb642037e48fde43fb4) Arguments: chmod +x /tmp/udev2
    • sh New Fork (PID: 3324, Parent: 3246)
    • su (PID: 3324, Parent: 3246, MD5: 5c28dbb5ba2104bbb4a1efceb1b79dd7) Arguments: su -c /tmp/udev2 user
      • su New Fork (PID: 3357, Parent: 3324)
      • bash (PID: 3357, Parent: 3324, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: bash -c /tmp/udev2
      • udev2 (PID: 3357, Parent: 3324, MD5: 0cd5adee35d5e3f15a5146148855eb99) Arguments: /tmp/udev2
        • udev2 New Fork (PID: 3376, Parent: 3357)
        • kthreadd (PID: 3376, Parent: 1, MD5: unknown) Arguments: kthreadd 80.so RunDll
          • kthreadd New Fork (PID: 3417, Parent: 3376)
            • kthreadd New Fork (PID: 3420, Parent: 3417)
            • bash (PID: 3420, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ls /dev/disk/by-id/ 2>/dev/null"
              • bash New Fork (PID: 3421, Parent: 3420)
              • ls (PID: 3421, Parent: 3420, MD5: a78c13d806e594dc4014d145d689f23d) Arguments: ls /dev/disk/by-id/
            • kthreadd New Fork (PID: 3425, Parent: 3417)
            • bash (PID: 3425, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/eth?/address 2>/dev/null"
              • bash New Fork (PID: 3429, Parent: 3425)
              • cat (PID: 3429, Parent: 3425, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/eth?/address
            • kthreadd New Fork (PID: 3443, Parent: 3417)
            • bash (PID: 3443, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/wlan?/address 2>/dev/null"
              • bash New Fork (PID: 3447, Parent: 3443)
              • cat (PID: 3447, Parent: 3443, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/wlan?/address
            • kthreadd New Fork (PID: 3454, Parent: 3417)
            • bash (PID: 3454, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ls /sys/class/net/ 2>/dev/null | awk '{printf (\"%s\\n\", $1)}' 2>/dev/null"
              • bash New Fork (PID: 3460, Parent: 3454)
              • ls (PID: 3460, Parent: 3454, MD5: a78c13d806e594dc4014d145d689f23d) Arguments: ls /sys/class/net/
              • bash New Fork (PID: 3461, Parent: 3454)
              • awk (PID: 3461, Parent: 3454, MD5: 36e491b1e47944fb397b84f790ef5093) Arguments: awk "{printf (\"%s\\n\", $1)}"
            • kthreadd New Fork (PID: 3473, Parent: 3417)
            • bash (PID: 3473, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/enp0s3/address 2>/dev/null"
              • bash New Fork (PID: 3480, Parent: 3473)
              • cat (PID: 3480, Parent: 3473, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/enp0s3/address
            • kthreadd New Fork (PID: 3488, Parent: 3417)
            • bash (PID: 3488, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/virbr0/address 2>/dev/null"
              • bash New Fork (PID: 3495, Parent: 3488)
              • cat (PID: 3495, Parent: 3488, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/virbr0/address
            • kthreadd New Fork (PID: 3502, Parent: 3417)
            • bash (PID: 3502, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /sys/class/net/virbr0-nic/address 2>/dev/null"
              • bash New Fork (PID: 3509, Parent: 3502)
              • cat (PID: 3509, Parent: 3502, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /sys/class/net/virbr0-nic/address
            • kthreadd New Fork (PID: 3516, Parent: 3417)
            • bash (PID: 3516, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "cat /var/lib/dbus/machine-id 2>/dev/null"
              • bash New Fork (PID: 3523, Parent: 3516)
              • cat (PID: 3523, Parent: 3516, MD5: 3e060fa294264b25491834c902dbeaba) Arguments: cat /var/lib/dbus/machine-id
            • kthreadd New Fork (PID: 3657, Parent: 3417)
            • bash (PID: 3657, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ls /sys/class/net/ 2>/dev/null | awk '{printf (\"%s\\n\", $1)}' 2>/dev/null"
              • bash New Fork (PID: 3658, Parent: 3657)
              • ls (PID: 3658, Parent: 3657, MD5: a78c13d806e594dc4014d145d689f23d) Arguments: ls /sys/class/net/
              • bash New Fork (PID: 3659, Parent: 3657)
              • awk (PID: 3659, Parent: 3657, MD5: 36e491b1e47944fb397b84f790ef5093) Arguments: awk "{printf (\"%s\\n\", $1)}"
            • kthreadd New Fork (PID: 3731, Parent: 3417)
            • bash (PID: 3731, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-scan' | grep -v -e grep"
              • bash New Fork (PID: 3732, Parent: 3731)
              • ps (PID: 3732, Parent: 3731, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 3733, Parent: 3731)
              • grep (PID: 3733, Parent: 3731, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-scan
              • bash New Fork (PID: 3734, Parent: 3731)
              • grep (PID: 3734, Parent: 3731, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 3742, Parent: 3417)
            • bash (PID: 3742, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-catcher' | grep -v -e grep"
              • bash New Fork (PID: 3750, Parent: 3742)
              • ps (PID: 3750, Parent: 3742, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 3751, Parent: 3742)
              • grep (PID: 3751, Parent: 3742, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-catcher
              • bash New Fork (PID: 3752, Parent: 3742)
              • grep (PID: 3752, Parent: 3742, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 3794, Parent: 3417)
            • bash (PID: 3794, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-attack' | grep -v -e grep"
              • bash New Fork (PID: 3798, Parent: 3794)
              • ps (PID: 3798, Parent: 3794, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 3799, Parent: 3794)
              • grep (PID: 3799, Parent: 3794, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-attack
              • bash New Fork (PID: 3800, Parent: 3794)
              • grep (PID: 3800, Parent: 3794, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 3819, Parent: 3417)
            • bash (PID: 3819, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-jam' | grep -v -e grep"
              • bash New Fork (PID: 3826, Parent: 3819)
              • ps (PID: 3826, Parent: 3819, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 3827, Parent: 3819)
              • grep (PID: 3827, Parent: 3819, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-jam
              • bash New Fork (PID: 3828, Parent: 3819)
              • grep (PID: 3828, Parent: 3819, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 3865, Parent: 3417)
            • bash (PID: 3865, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-imsi-grabber' | grep -v -e grep"
              • bash New Fork (PID: 3872, Parent: 3865)
              • ps (PID: 3872, Parent: 3865, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 3873, Parent: 3865)
              • grep (PID: 3873, Parent: 3865, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-imsi-grabber
              • bash New Fork (PID: 3874, Parent: 3865)
              • grep (PID: 3874, Parent: 3865, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 3899, Parent: 3417)
            • bash (PID: 3899, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'bt-scan' | grep -v -e grep"
              • bash New Fork (PID: 3906, Parent: 3899)
              • ps (PID: 3906, Parent: 3899, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 3907, Parent: 3899)
              • grep (PID: 3907, Parent: 3899, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe bt-scan
              • bash New Fork (PID: 3908, Parent: 3899)
              • grep (PID: 3908, Parent: 3899, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 4051, Parent: 3417)
            • dbus-launch (PID: 4051, Parent: 3417, MD5: ab4ac72a6958515e8bdaae3d80b7d075) Arguments: dbus-launch --autolaunch 24cb8984dc734c5f8c17ef2abd3dba17 --binary-syntax --close-stderr
            • kthreadd New Fork (PID: 4068, Parent: 3417)
            • bash (PID: 4068, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-scan' | grep -v -e grep"
              • bash New Fork (PID: 4069, Parent: 4068)
              • ps (PID: 4069, Parent: 4068, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 4070, Parent: 4068)
              • grep (PID: 4070, Parent: 4068, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-scan
              • bash New Fork (PID: 4071, Parent: 4068)
              • grep (PID: 4071, Parent: 4068, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 4075, Parent: 3417)
            • bash (PID: 4075, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-catcher' | grep -v -e grep"
              • bash New Fork (PID: 4079, Parent: 4075)
              • ps (PID: 4079, Parent: 4075, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 4080, Parent: 4075)
              • grep (PID: 4080, Parent: 4075, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-catcher
              • bash New Fork (PID: 4081, Parent: 4075)
              • grep (PID: 4081, Parent: 4075, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 4097, Parent: 3417)
            • bash (PID: 4097, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-attack' | grep -v -e grep"
              • bash New Fork (PID: 4109, Parent: 4097)
              • ps (PID: 4109, Parent: 4097, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 4110, Parent: 4097)
              • grep (PID: 4110, Parent: 4097, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-attack
              • bash New Fork (PID: 4111, Parent: 4097)
              • grep (PID: 4111, Parent: 4097, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 4131, Parent: 3417)
            • bash (PID: 4131, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-jam' | grep -v -e grep"
              • bash New Fork (PID: 4138, Parent: 4131)
              • ps (PID: 4138, Parent: 4131, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 4139, Parent: 4131)
              • grep (PID: 4139, Parent: 4131, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-jam
              • bash New Fork (PID: 4140, Parent: 4131)
              • grep (PID: 4140, Parent: 4131, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 4164, Parent: 3417)
            • bash (PID: 4164, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'wifi-imsi-grabber' | grep -v -e grep"
              • bash New Fork (PID: 4170, Parent: 4164)
              • ps (PID: 4170, Parent: 4164, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 4171, Parent: 4164)
              • grep (PID: 4171, Parent: 4164, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe wifi-imsi-grabber
              • bash New Fork (PID: 4172, Parent: 4164)
              • grep (PID: 4172, Parent: 4164, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
            • kthreadd New Fork (PID: 4193, Parent: 3417)
            • bash (PID: 4193, Parent: 3417, MD5: 0719e857695fd4c17ad5bb4547909e5a) Arguments: sh -c "ps auxww | grep -iEe 'bt-scan' | grep -v -e grep"
              • bash New Fork (PID: 4200, Parent: 4193)
              • ps (PID: 4200, Parent: 4193, MD5: c13a1d1dad08ab8444f35ce966cc3e29) Arguments: ps auxww
              • bash New Fork (PID: 4201, Parent: 4193)
              • grep (PID: 4201, Parent: 4193, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -iEe bt-scan
              • bash New Fork (PID: 4202, Parent: 4193)
              • grep (PID: 4202, Parent: 4193, MD5: 6cd81dedcf076b9ad7cfbfec976245d5) Arguments: grep -v -e grep
    • sh New Fork (PID: 3377, Parent: 3246)
    • rm (PID: 3377, Parent: 3246, MD5: 600aaa3669abb4a79eefa5881b390442) Arguments: rm -rf /tmp/finspy.sh
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
finspy.shJoeSecurity_FinSpyYara detected FinSpyJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /tmp/udev2JoeSecurity_FinSpyYara detected FinSpyJoe Security

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: kthreadd (PID: 3417)Reads CPU info from /sys: /sys/devices/system/cpu/online

      Networking:

      barindex
      Opens /sys/class/net/* files useful for querying network interface informationShow sources
      Source: /usr/bin/bash (PID: 3425)Opens: /sys/class/net/
      Source: /usr/bin/bash (PID: 3443)Opens: /sys/class/net/
      Source: /bin/ls (PID: 3460)Opens: /sys/class/net/
      Source: /bin/cat (PID: 3480)Opens: /sys/class/net/enp0s3/address
      Source: /bin/cat (PID: 3495)Opens: /sys/class/net/virbr0/address
      Source: /bin/cat (PID: 3509)Opens: /sys/class/net/virbr0-nic/address
      Source: /bin/ls (PID: 3658)Opens: /sys/class/net/
      Searches for processes related to Bluetooth scanningShow sources
      Source: kthreadd (PID: 3899)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'bt-scan' | grep -v -e grep"
      Source: kthreadd (PID: 4193)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'bt-scan' | grep -v -e grep"
      Searches for processes related to IMSI grabbingShow sources
      Source: kthreadd (PID: 3865)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-imsi-grabber' | grep -v -e grep"
      Source: kthreadd (PID: 4164)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-imsi-grabber' | grep -v -e grep"
      Searches for processes related to WiFI attackingShow sources
      Source: kthreadd (PID: 3731)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-scan' | grep -v -e grep"
      Source: kthreadd (PID: 3742)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-catcher' | grep -v -e grep"
      Source: kthreadd (PID: 3794)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-attack' | grep -v -e grep"
      Source: kthreadd (PID: 3819)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-jam' | grep -v -e grep"
      Source: kthreadd (PID: 4068)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-scan' | grep -v -e grep"
      Source: kthreadd (PID: 4075)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-catcher' | grep -v -e grep"
      Source: kthreadd (PID: 4097)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-attack' | grep -v -e grep"
      Source: kthreadd (PID: 4131)Executable: /usr/bin/bash -> sh -c "ps auxww | grep -iEe 'wifi-jam' | grep -v -e grep"
      Source: unknownTCP traffic detected without corresponding DNS query: 129.177.13.60
      Source: unknownTCP traffic detected without corresponding DNS query: 152.199.19.161
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 216.176.179.218
      Source: unknownTCP traffic detected without corresponding DNS query: 129.177.13.60
      Source: unknownTCP traffic detected without corresponding DNS query: 152.199.19.161
      Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
      Source: unknownTCP traffic detected without corresponding DNS query: 216.176.179.218
      Source: unknownTCP traffic detected without corresponding DNS query: 129.177.13.60
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownTCP traffic detected without corresponding DNS query: 185.25.50.74
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 48064
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 48062
      Source: unknownNetwork traffic detected: HTTP traffic on port 48062 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 48064 -> 443
      Source: Initial samplePotential command found: tail -n +$ARCHIVE $0 > /tmp/udev2 && chmod +x /tmp/udev2
      Source: Initial samplePotential command found: su -c /tmp/udev2 $SUDO_USER
      Source: Initial samplePotential command found: rm -rf "$0"
      Source: Initial samplePotential command found: lspci 2>/dev/null | grep -i "system peripheral" | grep -i "virtual"
      Source: Initial samplePotential command found: dmesg --notime 2>/dev/null | grep -i "hypervisor detected" | cut -d ':' -f2 | tr -d "
      Source: Initial samplePotential command found: dmesg --notime 2>/dev/null | grep -i "cpu" | grep -i "virtual"
      Source: Initial samplePotential command found: ps ya8xw
      Source: Initial samplePotential command found: lc WxC
      Source: Initial samplePotential command found: X Uh
      Source: Initial samplePotential command found: w dLR
      Source: Initial samplePotential command found: X +f2
      Source: Initial samplePotential command found: cd r;
      Source: classification engineClassification label: mal76.troj.spyw.evad.linSH@0/49@0/0

      Persistence and Installation Behavior:

      barindex
      Modifies the '.bashrc' or '.bash_profile' file typically for persisting actionsShow sources
      Source: /tmp/udev2 (PID: 3357)File written: /home/user/.bash_profile
      Source: kthreadd (PID: 3417)File written: /home/user/.bash_profile
      Writes ELF files to hidden directoriesShow sources
      Source: /tmp/udev2 (PID: 3357)File written to hidden directory: /home/user/.kde/.cfg/kthreaddJump to dropped file
      Source: kthreadd (PID: 3417)File written to hidden directory: /home/user/.kde/.cfg/mcli.soJump to dropped file
      Source: kthreadd (PID: 3417)File written to hidden directory: /home/user/.kde/.cfg/wbcm.soJump to dropped file
      Source: kthreadd (PID: 3417)File written to hidden directory: /home/user/.kde/.cfg/gtkx.soJump to dropped file
      Source: /tmp/udev2 (PID: 3357)Directory: /home/user/.kde
      Source: /tmp/udev2 (PID: 3357)Directory: /home/user/.kde/.cfg
      Source: kthreadd (PID: 3417)Directory: /home/user/.local
      Source: /bin/ps (PID: 4079)File opened: /proc/88/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/88/status
      Source: /bin/ps (PID: 4079)File opened: /proc/88/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/89/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/89/status
      Source: /bin/ps (PID: 4079)File opened: /proc/89/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2032/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2032/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2032/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2150/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2150/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2150/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/352/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/352/status
      Source: /bin/ps (PID: 4079)File opened: /proc/352/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/353/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/353/status
      Source: /bin/ps (PID: 4079)File opened: /proc/353/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/992/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/992/status
      Source: /bin/ps (PID: 4079)File opened: /proc/992/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/1732/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/1732/status
      Source: /bin/ps (PID: 4079)File opened: /proc/1732/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/631/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/631/status
      Source: /bin/ps (PID: 4079)File opened: /proc/631/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2027/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2027/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2027/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/1850/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/1850/status
      Source: /bin/ps (PID: 4079)File opened: /proc/1850/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/633/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/633/status
      Source: /bin/ps (PID: 4079)File opened: /proc/633/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/1331/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/1331/status
      Source: /bin/ps (PID: 4079)File opened: /proc/1331/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/1617/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/1617/status
      Source: /bin/ps (PID: 4079)File opened: /proc/1617/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/10/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/10/status
      Source: /bin/ps (PID: 4079)File opened: /proc/10/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/11/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/11/status
      Source: /bin/ps (PID: 4079)File opened: /proc/11/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/13/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/13/status
      Source: /bin/ps (PID: 4079)File opened: /proc/13/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/14/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/14/status
      Source: /bin/ps (PID: 4079)File opened: /proc/14/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/15/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/15/status
      Source: /bin/ps (PID: 4079)File opened: /proc/15/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/16/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/16/status
      Source: /bin/ps (PID: 4079)File opened: /proc/16/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/17/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/17/status
      Source: /bin/ps (PID: 4079)File opened: /proc/17/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/18/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/18/status
      Source: /bin/ps (PID: 4079)File opened: /proc/18/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/19/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/19/status
      Source: /bin/ps (PID: 4079)File opened: /proc/19/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2166/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2166/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2166/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/3376/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/3376/status
      Source: /bin/ps (PID: 4079)File opened: /proc/3376/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2043/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2043/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2043/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/363/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/363/status
      Source: /bin/ps (PID: 4079)File opened: /proc/363/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/364/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/364/status
      Source: /bin/ps (PID: 4079)File opened: /proc/364/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/1/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/1/status
      Source: /bin/ps (PID: 4079)File opened: /proc/1/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/1986/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/1986/status
      Source: /bin/ps (PID: 4079)File opened: /proc/1986/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/486/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/486/status
      Source: /bin/ps (PID: 4079)File opened: /proc/486/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/3/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/3/status
      Source: /bin/ps (PID: 4079)File opened: /proc/3/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/2038/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/2038/status
      Source: /bin/ps (PID: 4079)File opened: /proc/2038/cmdline
      Source: /bin/ps (PID: 4079)File opened: /proc/5/stat
      Source: /bin/ps (PID: 4079)File opened: /proc/5/status
      Source: /bin/ps (PID: 4079)File opened: /proc/5/cmdline
      Source: /bin/su (PID: 3357)Shell command executed: bash -c /tmp/udev2
      Source: /bin/sh (PID: 3311)Chmod executable: /bin/chmod -> chmod +x /tmp/udev2
      Source: /bin/sh (PID: 3259)Grep executable: /bin/grep -> grep --text --line-number ^__x64xx__$ /tmp/finspy.sh
      Source: /usr/bin/bash (PID: 3733)Grep executable: /bin/grep -> grep -iEe wifi-scan
      Source: /usr/bin/bash (PID: 3734)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 3751)Grep executable: /bin/grep -> grep -iEe wifi-catcher
      Source: /usr/bin/bash (PID: 3752)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 3799)Grep executable: /bin/grep -> grep -iEe wifi-attack
      Source: /usr/bin/bash (PID: 3800)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 3827)Grep executable: /bin/grep -> grep -iEe wifi-jam
      Source: /usr/bin/bash (PID: 3828)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 3873)Grep executable: /bin/grep -> grep -iEe wifi-imsi-grabber
      Source: /usr/bin/bash (PID: 3874)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 3907)Grep executable: /bin/grep -> grep -iEe bt-scan
      Source: /usr/bin/bash (PID: 3908)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 4070)Grep executable: /bin/grep -> grep -iEe wifi-scan
      Source: /usr/bin/bash (PID: 4071)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 4080)Grep executable: /bin/grep -> grep -iEe wifi-catcher
      Source: /usr/bin/bash (PID: 4081)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 4110)Grep executable: /bin/grep -> grep -iEe wifi-attack
      Source: /usr/bin/bash (PID: 4111)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 4139)Grep executable: /bin/grep -> grep -iEe wifi-jam
      Source: /usr/bin/bash (PID: 4140)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 4171)Grep executable: /bin/grep -> grep -iEe wifi-imsi-grabber
      Source: /usr/bin/bash (PID: 4172)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 4201)Grep executable: /bin/grep -> grep -iEe bt-scan
      Source: /usr/bin/bash (PID: 4202)Grep executable: /bin/grep -> grep -v -e grep
      Source: /usr/bin/bash (PID: 3732)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 3750)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 3798)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 3826)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 3872)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 3906)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 4069)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 4079)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 4109)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 4138)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 4170)Ps executable: /bin/ps -> ps auxww
      Source: /usr/bin/bash (PID: 4200)Ps executable: /bin/ps -> ps auxww
      Source: /bin/sh (PID: 3377)Rm executable: /bin/rm -> rm -rf /tmp/finspy.sh
      Source: /bin/sh (PID: 3246)Reads from proc file: /proc/meminfo
      Source: /bin/bash (PID: 3357)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3420)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3425)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3443)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3454)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3473)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3488)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3502)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3516)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3657)Reads from proc file: /proc/meminfo
      Source: /usr/bin/bash (PID: 3731)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3732)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3732)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 3742)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3750)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3750)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 3794)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3798)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3798)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 3819)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3826)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3826)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 3865)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3872)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3872)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 3899)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3906)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 3906)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 4068)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4069)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4069)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 4075)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4079)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4079)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 4097)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4109)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4109)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 4131)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4138)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4138)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 4164)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4170)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4170)Reads from proc file: /proc/stat
      Source: /usr/bin/bash (PID: 4193)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4200)Reads from proc file: /proc/meminfo
      Source: /bin/ps (PID: 4200)Reads from proc file: /proc/stat
      Source: /bin/chmod (PID: 3311)File: /tmp/udev2 (bits: - usr: rx grp: rx all: rwx)
      Source: /bin/tail (PID: 3265)File written: /tmp/udev2Jump to dropped file
      Source: /tmp/udev2 (PID: 3357)File written: /home/user/.kde/.cfg/kthreaddJump to dropped file
      Source: kthreadd (PID: 3417)File written: /home/user/.kde/.cfg/mcli.soJump to dropped file
      Source: kthreadd (PID: 3417)File written: /home/user/.kde/.cfg/wbcm.soJump to dropped file
      Source: kthreadd (PID: 3417)File written: /home/user/.kde/.cfg/gtkx.soJump to dropped file

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Sample deletes itselfShow sources
      Source: kthreadd (PID: 3417)File: kthreadd
      Source: /bin/rm (PID: 3377)File: /tmp/finspy.sh
      Source: kthreadd (PID: 3417)Reads CPU info from /sys: /sys/devices/system/cpu/online
      Source: /bin/sh (PID: 3246)Queries kernel information via 'uname':
      Source: /bin/bash (PID: 3357)Queries kernel information via 'uname':
      Source: kthreadd (PID: 3417)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3420)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3425)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3443)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3454)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3473)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3488)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3502)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3516)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3657)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3731)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 3732)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3742)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 3750)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3794)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 3798)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3819)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 3826)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3865)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 3872)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 3899)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 3906)Queries kernel information via 'uname':
      Source: /usr/bin/dbus-launch (PID: 4051)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 4068)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 4069)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 4075)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 4079)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 4097)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 4109)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 4131)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 4138)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 4164)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 4170)Queries kernel information via 'uname':
      Source: /usr/bin/bash (PID: 4193)Queries kernel information via 'uname':
      Source: /bin/ps (PID: 4200)Queries kernel information via 'uname':

      Stealing of Sensitive Information:

      barindex
      Yara detected FinSpyShow sources
      Source: Yara matchFile source: finspy.sh, type: SAMPLE
      Source: Yara matchFile source: /tmp/udev2, type: DROPPED

      Remote Access Functionality:

      barindex
      Yara detected FinSpyShow sources
      Source: Yara matchFile source: finspy.sh, type: SAMPLE
      Source: Yara matchFile source: /tmp/udev2, type: DROPPED

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter1.bash_profile and .bashrc1.bash_profile and .bashrc1File and Directory Permissions Modification1OS Credential Dumping1Security Software Discovery1Remote ServicesNetwork Information Discovery1Exfiltration Over Other Network MediumEncrypted Channel1Jamming or Denial of Service1Remotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsScripting1LSASS MemoryProcess Discovery31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Hidden Files and Directories11Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)File Deletion11NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1250217 Sample: finspy.sh Startdate: 05/10/2020 Architecture: LINUX Score: 76 84 216.176.179.218, 80 WOWUS United States 2->84 86 129.177.13.60, 80 UNINETTUNINETTTheNorwegianUniversityResearchNetwork Norway 2->86 88 3 other IPs or domains 2->88 100 Yara detected FinSpy 2->100 12 sh 2->12         started        signatures3 process4 process5 14 sh su 12->14         started        16 sh rm 12->16         started        19 sh tail 12->19         started        22 3 other processes 12->22 file6 24 su bash udev2 14->24         started        90 Sample deletes itself 16->90 70 /tmp/udev2, ELF 19->70 dropped 28 sh od 22->28         started        30 sh tr 22->30         started        32 sh grep 22->32         started        34 sh cut 22->34         started        signatures7 process8 file9 80 /home/user/.kde/.cfg/kthreadd, ELF 24->80 dropped 82 /home/user/.kde/.cfg/17C.dat, DOS 24->82 dropped 110 Writes ELF files to hidden directories 24->110 112 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 24->112 36 udev2 kthreadd 24->36         started        signatures10 process11 process12 38 kthreadd 36->38         started        file13 72 /home/user/.kde/.cfg/wbcm.so, ELF 38->72 dropped 74 /home/user/.kde/.cfg/mcli.so, ELF 38->74 dropped 76 /home/user/.kde/.cfg/gtkx.so, ELF 38->76 dropped 78 /home/user/.bash_profile, very 38->78 dropped 104 Writes ELF files to hidden directories 38->104 106 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 38->106 108 Sample deletes itself 38->108 42 kthreadd bash 38->42         started        44 kthreadd bash 38->44         started        46 kthreadd bash 38->46         started        48 19 other processes 38->48 signatures14 process15 signatures16 51 bash ls 42->51         started        54 bash awk 42->54         started        56 bash ls 44->56         started        58 bash awk 44->58         started        60 bash cat 46->60         started        92 Opens /sys/class/net/* files useful for querying network interface information 48->92 94 Searches for processes related to Bluetooth scanning 48->94 96 Searches for processes related to IMSI grabbing 48->96 98 Searches for processes related to WiFI attacking 48->98 62 bash cat 48->62         started        64 bash cat 48->64         started        66 bash ls 48->66         started        68 39 other processes 48->68 process17 signatures18 102 Opens /sys/class/net/* files useful for querying network interface information 51->102

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPCountryFlagASNASN NameMalicious
      152.199.19.161
      United States
      15133EDGECASTUSfalse
      185.25.50.74
      Lithuania
      61272IST-ASLTfalse
      109.202.202.202
      Switzerland
      13030INIT7CHfalse
      216.176.179.218
      United States
      23033WOWUSfalse
      129.177.13.60
      Norway
      224UNINETTUNINETTTheNorwegianUniversityResearchNetworkfalse

      General Information

      Joe Sandbox Version:
      Analysis ID:1250217
      Start date:05.10.2020
      Start time:15:12:02
      Joe Sandbox Product:Cloud
      Overall analysis duration:0h 5m 12s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:finspy.sh
      Cookbook file name:defaultlinuxfilecookbook.jbs
      Analysis system description:CentOS Linux 7.5 x64 (Kernel 3.10.0-862, Firefox 52.8.0, Document Viewer 3.22.1, LibreOffice 5.3.6.1, OpenJDK 1.8.0_171)
      Detection:MAL
      Classification:mal76.troj.spyw.evad.linSH@0/49@0/0
      Warnings:
      Show All
      • Report size exceeded maximum capacity and may have missing behavior information.


      Runtime Messages

      Command:sh "/tmp/finspy.sh"
      Exit Code:0
      Exit Code Info:
      Killed:False
      Standard Output:

      Standard Error:

      Created / dropped Files

      /home/user/.bash_profile
      Process:kthreadd
      File Type:very short file (no magic)
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      MD5:93B885ADFE0DA089CDF634904FD59F71
      SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
      SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
      SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
      Malicious:true
      Reputation:low
      Preview: .
      /home/user/.bash_profile1
      Process:/tmp/udev2
      File Type:very short file (no magic)
      Size (bytes):1
      Entropy (8bit):0.0
      Encrypted:false
      MD5:93B885ADFE0DA089CDF634904FD59F71
      SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
      SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
      SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
      Malicious:false
      Reputation:low
      Preview: .
      /home/user/.kde/.cfg/02.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):157375
      Entropy (8bit):7.8916527190645915
      Encrypted:false
      MD5:23972D068A144AC242CE2282294808D4
      SHA1:E2EEA237F4AA9B0317F324D3BEB68E4975BEAE3F
      SHA-256:FFB2C365F549E8454D678D9D318C40A165142E2A5B70408DC91F5E49D103E078
      SHA-512:F44C7D350DBC2F2FC5931C59D990B98F810733150100E9C7162D0DD4914D2B78AAFC7B62098820C9023D8D50C8131646DB4DD8D5D09E8B8047B366AF7687A864
      Malicious:false
      Reputation:low
      Preview: ......ELF........>....V..@....(8...,8.V......... .8......#.&ct..1....8G......&....#g....2....<.p$....P.td.#xoB...L..6.8EQ.D.....Rp..........x......GNU...........w.......[.Fm.J. +N...wap.H.U$.....:..<..Z.B..0...=...9.,14.......n.p. ..........\..@.H....n..v g(....l..n.z....0.. ..H\..@F.....P_!.....@l..0$U....@o....O....Ad..@...........oP...E.....H.0...>...$.dF...Ap....."....4\.......H"JdL.MHN.O"RDST.n..Z._.`$bLd.g.i.l$pJq,er2.t9v.x..yL.z.}..$.I...D.......".D...$..".D....L....D....L....G.".D...........$.H...".D......$.J..y...$.J..e.2..$.H...".S..".D......$.H...".D......$.H...".D......%..!......s-...|3.!....C...zY..i.P..Q.e.....D.....@^.Q.@......!..........0.".....D....m....F3...\c0w$1..W......?.L....0.'.)@..7R.[...&.(!DAB..m...@..2...#(^iD..,.G...Q...Z[1...As)H...=.....E;.".#...eU....y.........B..4....$..n.R..e|`.....` ..W}}p.Z.C..?tH........6tp.VZ.P.0....~.......x....Pb.!ro.....0.}..r...+.Q.J...U...`C.....?=0.c..b.......d ...........~.fg!h....... .....K.........zo......M.!.V$UP..On=..r..
      /home/user/.kde/.cfg/02C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text
      Size (bytes):146
      Entropy (8bit):4.125173537317145
      Encrypted:false
      MD5:1646EAA6EF4E25DA4154D72966066D59
      SHA1:2237BD6C1528479BF8C37AC72E557111D67C503F
      SHA-256:CBECC8FF2C4F790451DBE8D887DF8E26143AF2C5971D0ABA09A92D3430ABC6C6
      SHA-512:520C4B41057C2D08617E83296F1FA5D160176FDDA736E207AC75895875FD6507FE7DED471C5709B987BB115C2F271ABB759267C0C70F05D2AB430E5844A25C8D
      Malicious:false
      Reputation:low
      Preview: 8Z....TZ/.Z.....V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.....S..Z.....P..Z%....Z..Z..:[.X..Z..Z.....Z..Z.....X...
      /home/user/.kde/.cfg/04.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):56342
      Entropy (8bit):7.899002476132214
      Encrypted:false
      MD5:5045D09F5C5A4E6705430A7C39DE060F
      SHA1:2267435B6BF1B9A4EB28797F2794B8BC7C10D289
      SHA-256:B3D2E096D61859E5CAE82E52602CFE9FDCDA8E219E8B0FB4F82FF42C46B3419C
      SHA-512:E1DBA933696C28AB1087DE051EE7445362B366A097B591DF7FB959ADF2CFA27D795913D46E5DD325546F2E7F64F27646AC18A74BE81A2544B5C0541FC25C26DA
      Malicious:false
      Reputation:low
      Preview: .v....ELF........>....9..@....(8...,8.V..(]..... .8...lI...".x.Ll..O8#....#.........b....M...8$G...P.td...M...Y...m.8Q....u!.ER5pj..p......xH....GNpU.&..Z.;........../.-g...2a.7$.H..UE.....B.!x.`..T..@.&.D..0...X$.s..Q.L.C.2.7.\...!...Q..B.u..U.J.....a.^.@P............ch.k.......lD....q .@...$..t.HX..7$8R#w;).>..?r.A$BHD.E2H.J$KHL.N<LO.HP..2.S9U.W%Y,4Z.].^$_Hb.c"dDef.hK0"lDmo.r.t..Dvx.z.|.....%.2..$.H...".D... D....L......$.J..e.2....D......%.2.......%........o x........2W.9......>...!P.....D..~.....z.:/.......o..@..F....P. ....)..Z[.....^._.9Q..e..A.0xB.M..0ND....".F;.V.h.+.QCE...I!\)......^...e`!...".......\...`.qw..%!..)..'...........:.r. .4>..L.)1m....0..A#..=..a...?...9....b...qX...x.i.P..0..|?..V..=..{>...8.fh.}o*.`.w4<:..=.Z..K...,.Gc);.\<w..!rd..C...6...fL..}...~.i.>.....e|`...w.........j...X..............)t.~.$.y,......W.[.1...z$`.)...vf....D.K......On........s.zc7'..L.....x.....u.3W.)!"."..2..W}p|.(.^i%,...?..s.`&...+.....L...3....J..,V)........`;H)O0.....(;H...!.y.,J.h.+..e.
      /home/user/.kde/.cfg/04C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text
      Size (bytes):73
      Entropy (8bit):3.7278897001071813
      Encrypted:false
      MD5:B9CEF110B78CB1F5074DC8709C1E78A1
      SHA1:D839C7EDA4B895E74197EF095E8F0210914EAB3C
      SHA-256:7C98C5E4DD7597902B561BACBA97AF7F0056B75A30ED56B6BBA740621EFB5E68
      SHA-512:FAE70213B9F1466459890F74756D6BDCA6D26423DD1D96C667C3F053058E8FEE9FEDA6E48733C2007DEA3EE2BBC4090CD4D5D86C8E6E4BF3A968CA238CD7E80D
      Malicious:false
      Reputation:low
      Preview: .Z....TZ..Z.....V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..
      /home/user/.kde/.cfg/05.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):73879
      Entropy (8bit):7.882233989233881
      Encrypted:false
      MD5:C3E2A13FD60C6FB6792C7AE64006CFD1
      SHA1:E09DC0099CC2EE3F570E5A642E6E4F710353F8F8
      SHA-256:73E88E61DB957B909521DAA880702DAE8F6CE8FFA1CDD9D91ECEA3A8DE70488F
      SHA-512:72449C0D34EAC7546FEEAE8BD9EB75D8509B1B8E43C7B793BD97B7C2798B72D91AF06C154BBFDF7C0C5E85C4084CE0E1443A499E3FA345BDC7A2D28E3469CE0F
      Malicious:false
      Reputation:low
      Preview: `"....ELF........>... 5..@....(8...,8.V.........r8."....#.#e.1U...B8#....#.........b....M...8$G...P.td..h....X....F8"Q....H.QRMpZ..p.f...#x..6...GNU...W..c..w..............La......#UE.....B.!.....T...@&.D..0........s.Q<.L.C2 l.\..z.....,Pu..U......L..>@...".....l'T.j..%....:l..... ~>@..>$....XD9./.0&1.D36..D78.9.:".<M=..B.C"DHFL.G9IL.J.GL"NDPR..DST.W.X.[.\$]H^._t<c.d".eDfi.kK."mDoq.sL.v.y.{..}..$.H...".S. ".D....D......%.2.....O.".D.........L.........5.>......o x........2W.9......>...!P.....D..~.....zY.........o..@..F....P. ....)..Z[.....^._..Q.JO.K.e..A...B.M...ND......F..V.h.+.Q.CE..I!...Fr\)..~...^...e!.."....\....`qw..`%!.)..`'.......... .,>..L.))m....1..A..=...?P.......b...qX...x.i.P.0...|?..V.."......8.f.h.}o.`..4s:..=.Z...K..,.Gcc).\.w..!rad.C..1.....}...~.i..}....e|`...w..3.............0...t....Hy.0....W..[.1...$...)...v.......K.....%i....On.......k..zc'........x..}.f.!!.D"..2..W}p|.(^(i%(...?..s.&....+.r..`D.. V0..J.a.+,2.1...:.|CY.b....|S.0.a.......BF..+.v)..`..?.!...O...`vSJ
      /home/user/.kde/.cfg/05C.dat
      Process:/tmp/udev2
      File Type:data
      Size (bytes):61
      Entropy (8bit):3.727303257896783
      Encrypted:false
      MD5:6BFBA62E20F270002943D88E6636D352
      SHA1:9C5852A7CD558AE64E5219C8CC28E8EB95D7A845
      SHA-256:5AB08940F09BBC898C10E1A48506A5A23CDEDA22528331EB2C86E4E6BD2B3C8D
      SHA-512:312C3A4D226FAE1846238576FC953AE5B61AF4AACCF488DB5E12AC1D7FB80903B665E799C02044739BF2C861FA2AFA1C9C49A92E3555907068AA0B980955169C
      Malicious:false
      Reputation:low
      Preview: .Z....TZ..Z..X..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....
      /home/user/.kde/.cfg/10.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):277150
      Entropy (8bit):7.871759933511614
      Encrypted:false
      MD5:DAA72A0745FA64FFDA8007B3D342F697
      SHA1:73338123D2600B9C0D0E04A476A694D9C6180CFC
      SHA-256:8DFFB24119EA678FB23F6877FE8147B237860BA4AF5CC8FBC0AAD2FB0223B6B5
      SHA-512:CB13CE75AB5E3D45AB7F3C6C9C1185FD149CEBF7E7093473B044A9EA2A73B970BCC5322BAA74D963FCCA7BF0B18641F730AAEF4B732BC2CFDBF1732A0EFAAB6A
      Malicious:false
      Reputation:low
      Preview: `.%...ELF........>.......@....(8...&8.V..L ......8..E.+&..G(...1....8..G.x...8..F.v...e.4.x.$..#..P.td.Eh.P....p...8.QA....(.R.p..FP........F...GNU.1e..H....A..~...v.)pB..&.cIfN...w.U...#.@...7..(..TD..+.H...d"c....$.Q..`@D2.............X%...A`g..}..V.....I(....0.I...".H..`.. .....i.7.0l.......?&Z.,.......$`.I8C..#.T.... ..]9.....I..Q..........Hc..B....A. .*....S.....@....u.<AL.Q........)..H....A.T!c.....E.y.....g....r]z.......i`"...B..w...!H...j.l$m.yn.p..qL.t.u.w%x2.z..{.}$.H...".D...$D......$.H...".D....L0.......D.........$.J..Y...$.H...".D......$.H...".D....LH.....$.H...".D....L,.....$.H...".D........7.X.......D......d.H...2...........L...... .!.s."2.#.%..(..*.,.-$.H/.0)1$.3"5D78.9.:..>.@$AHB.C..E.H..K.L2O.Q$RJS.eT<.V.Y.[&\.D`a.g..0.h..i2.l.n..p..q.r.u$wJx0Y{.}$.J..Y...$.H.......$.H...".D......$.H...P...d.L.....D........L..........d.L.......$.J. d.H...D..&..S..2........&..D......$.H...D.m...0.....wd...4..@...._..Q.....T7.L.=|m.]H.M..._D.0..};".#.....zn....D...C..t....Q...]...$W....
      /home/user/.kde/.cfg/10C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text, with LF, NEL line terminators
      Size (bytes):85
      Entropy (8bit):3.8305954595097123
      Encrypted:false
      MD5:C6A460AB215B31D3DB609B34501BE17E
      SHA1:9EE188EF8326F045BE89C547CC1745A6BF7B6D85
      SHA-256:E41FC5667CC5DB275595CF9EBB550A858AAF4056FCEFB28923E6CFABDB11594C
      SHA-512:ADBAA1591D708078020C7B36567D7E9D458428ECC3DBC19E76C298422EAC713EFD04E42D8DD86809AAC927C1C13C57761A767C1F0BD3B77F9D1CD7E814CEBB8F
      Malicious:false
      Reputation:low
      Preview: .Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....|..
      /home/user/.kde/.cfg/12.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):111928
      Entropy (8bit):7.898002301161979
      Encrypted:false
      MD5:4EFBF4007F39CB0B8B4BA03A5815A360
      SHA1:F1C8A826E79287481924987F008E8249B148DF09
      SHA-256:556E5AD1606F28C068CA4AC821F40CC4713FD3BBE994ACC0976D0A03160E998D
      SHA-512:937F8861D061011241B2042955AA4FB733B342F2E333EC997C6E98029E54EC7F10D5FC5805DC368064FA258189F63D163D02C754753CC301BE406865645E84BD
      Malicious:false
      Reputation:low
      Preview: ......ELF........>....R..@....(8...,8.V......... .8....I...$.....8..O8#..#.2.$68..F.G.......h..$.<G..P.td...s%.......18Q.....B..Rpj..#..5.9..x.....GNU......5.hH\.......M-.z.2y.Y..$.GUE......1!&....T...@&.D..0..... .....yQ<.N.C2.........rp... Q..}...=...%P3...H....@...p".......:..0.j.%....lF..C..."(.Hq..$....X..DZ\.^.._"`Wa."cDef.i..j"nDoq.r.t$vHx.|)}<.~......x............$.H...+.$d.H...".S..".D......$.J. e.2..$.H...X.......$.H...".D.......,...$.J..^D......$.H...".D......$.H...2..$.J..d.H...".D......$.H...8......1...Lz.0....Pr..e...9....!."..^.Q....F..!........"@.....&...... .\cw$.)..W......?.L....0.'.A...u.2.).B m.....2..#(^ioD!.,.G...Q...Z[1.>.A.)H...=.....E....eT...|.....U.B..$...e|`..... ...W}p........VZ.P.0....x......m.c.!r..0.}.....+.0Q`.......?=.J.2.c.!.b......d.............~.g.!.2ybh......9..m...K.....^..n.zo... u.N....On..V.......qX.[..1......w..$B....>...)......<?h...a#.".=0..!...06...x..i...?..v...... .%....G...f*'.....?8..h........+.[k.}o.t.....{.......h..4....\...|$...3.=.Z
      /home/user/.kde/.cfg/12C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text, with LF, NEL line terminators
      Size (bytes):85
      Entropy (8bit):3.752090752467995
      Encrypted:false
      MD5:70E0376FDE7F03B7B042C3E0F9A44303
      SHA1:E61D91E023DF6FD107795E833E57AC8EC2344C2F
      SHA-256:1C68FE0A3BC5A671D49D28764852A37AB0F59571398363E16D660219257E14A3
      SHA-512:AFE3D14B98701C1935923DE591A0737273788CC485BD917831E3C72026B3F73CC8082AEAFD3BCAA0B3F764BA719ED3D1870CFBE0DC877EBA18C40CC61D22392B
      Malicious:false
      Reputation:low
      Preview: .Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z..H..Z..
      /home/user/.kde/.cfg/14.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):347017
      Entropy (8bit):7.8800442470390974
      Encrypted:false
      MD5:1E0399DED79930DA2164207B993E3FC8
      SHA1:6547E9F77BD478820B0724AF066FB0CC6C38E1B4
      SHA-256:4B39B6F1EA8B55CF46F5CB9D6AEA58DDABF079698A90D7BBAD4576A8C94801E4
      SHA-512:717C32A8BFCBB413AAD3AD1B66C313FA6B460282FEB5717A7B3EB7BD4B015A68770B965713BC0F96F9D76AE6CCC694255852CF9663B8416265F99936100767A6
      Malicious:false
      Reputation:low
      Preview: @.'...ELF........>......8@R..(p8G.@,..Z......... 8..Ep.&..F+.....`...8G.#..GF....#g....2....<.p$....P.tdQ8........#h8.QP.C....)Rp..P...O.)........GNU......L....C...N..1...I.L.c......j`.w4 ...oT:Y)......"..r.<.(EE.j.a.oMj...a@.P(.. ..zT...%....A<....G-@. (:.0&...AaI.@....@..,Pt3..&...X.H..u....."...AR.3...P.......B.e%X.L...S....Q$.............A ......f...(.....A...r......U.....".....!'.....Q_........... ._.`......[26.=.....1..q...Z."a*D.g..R....v..........tI...?.. .&0... .n...'H..L.L... D.0...A...>x(...........I...dT .........T..$..n.T..5...[<.`9,.BP.V.@....=@.Ub..!`c {....&..G.m......B0.E"(..8APU....[8H.$.._.w@I.....&..M.P........d.H...)....".D......$.H...".D......$.H...".D.......\...%..(".D....S..".D....K0".D......$.K.9=....".D......$.H...".D..... $"H%.'"(Y)..,.0..1.2"5D68.9.:$<H@.A"EDGI.M.O'P..qR..U.W.X$ZH\.])_(.b.cL.e.f.h".lDop.P.q"rDtw.{.}. .L.......".D......$.J.,d.H...".S..".S..".D.......).......$.H...".D...)0....f....J.8.......".R.0....".e...3..2....$.H...".D......$.H...".D....L
      /home/user/.kde/.cfg/14C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text, with LF, NEL line terminators
      Size (bytes):141
      Entropy (8bit):4.1072374375231275
      Encrypted:false
      MD5:95DE6C2F58D2FE69117A5FA7735F1E23
      SHA1:E50CCCF9BD5F3FFBF3D2AC5DDF8378DF7AB9A91D
      SHA-256:A8D57E396012183BD8538CC13E414BD8C3AFA0D438A081CD3E96B7390348E01C
      SHA-512:D3B5806717CF8837317534E41E75885C777D3B3476D0890A073AFBF03DE0CE4A0825D3F12237EE7039E63BDCDF1974509381127843BC61BA112BDFC873498051
      Malicious:false
      Reputation:low
      Preview: 'Z....TZ .Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..S..Z..N..V..Z.....|..S..Z..N..S..Z..N..S..Z..N..V..Z....UZ..R..Z%H..
      /home/user/.kde/.cfg/16.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):98527
      Entropy (8bit):7.900054772699157
      Encrypted:false
      MD5:AFDE2AEC5264E80813A4009B0A700E4D
      SHA1:6B92F4AD09732948223C0583A61A9D4EB9A3FCEA
      SHA-256:48A6DF4A0515579098BE87EF05D0B4C63A2391FFB60B3C4B436C55CDF2CA82CB
      SHA-512:84222144E53E4E521C4A67B0843D0D6121B9D06BAC932708BEC236624546F333931DDB8E9E6CB03237DB4F48AF53FEA72DB7E915752EE9675A5E9683F273B040
      Malicious:false
      Reputation:low
      Preview: .r....ELF........>.......@....(8...,8.V...F..... .8...JI...$..'...-.O8#..#K2.$68..F......e.4.x.$..#..P.td.Fp.%..cd..m.8Q....u!.ER5pj.........xH....GNpU.e..Tz...w....u...pe.SA.$cZN....wa.%....T.u.....@PG....... ..~E....lUV..8,. ......R...h...a.A`...&..! :v\.`.V..K.t.=..:.).....TPc.(.......1l....A....D.9........$B.......]!.@.....\....~...P..D.x.B@.d-Q?....i(.1..p.|..B.....@.....3P."....".(....@.............@.$.f.-..b.CpI.....*.(....W....D.".\$]L^.`.b.eG..f"gSh."iDjl.m.n$oHq.r"tSv,"xDz{.|.}$~H...".D......$.H...&.(..............9...$.H...".D......$.H...".S.@".D......$.H...$...e.<......%.2..$.H...".D....L$.....$.J..d.H...".E.b.,.....|Q.L....D.......".D......$.H!.#"%S&<"(D*+.,L.-./.0..2.4$5L7.8.9.;$<H=.?)@0.B)D..E..G.J.L.M$OOS.x.V.!W.[.\.]%^l$`.b.h$iHj.k>mC.n.o"rDsv.x.y9z..|.}.~$.H... ....".D....L...h..".S..)..e.,.....1...'..M4e.2.......).....)....H..2....$.H...".D.......0<.....@9.5_.Q..z.f/....1...A.H..0\......p..b..U.....0.}.R.M{.><$7u.5t........s....[..S%...3...x.*...k.!e..)?....D..-...<.
      /home/user/.kde/.cfg/16C.dat
      Process:/tmp/udev2
      File Type:data
      Size (bytes):285
      Entropy (8bit):4.682938535499455
      Encrypted:false
      MD5:E6B77538E4D2625E8B1132DE5B55A917
      SHA1:CFD0B2CF28897233BFBE9D35C9BDFC5FB9BF975E
      SHA-256:D8F0A9F5566E6C8D5A8B589EFDAC8FCD3C039BB1EE1D9EA04FCF76B701D86F3E
      SHA-512:6CDFCE08752C349F9C383EB4F94BC96ECA8769449DFC05DBB0E270B18CB9C0B2B49F965BAF97A5FE9F799986A8294AE70FEFC2B040586E098ACC68F7B1B14EA8
      Malicious:false
      Reputation:low
      Preview: .[....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..P..Z%....Z..Z.*.[.$..Z..5..Z..7..Z.....Z..Z.*.[.$..Z..5..Z..6..Z..>..Z..Z.*.[.$..Z..?..Z.....Z..J..Z%....Z..7..Z..Z.*.[.u..Z..9..Z....TZ../..Z..B..Z%....Z..;..Z..6..Z..V..Z....UZ..R..Z%....Z.....Z....
      /home/user/.kde/.cfg/17.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):101467
      Entropy (8bit):7.90118340754
      Encrypted:false
      MD5:3C55AC84AAFFA349E8BC9223A22B2888
      SHA1:215994EB886AAE2D4AEAAEF862C1C2744DB4269A
      SHA-256:452830D5A6F1AFA294C7C1F8D57A4A7E2CCCA9593AC80D750E709DBCF53636E7
      SHA-512:7C4A5A05C0E63831F388F8E792738F41FCD10B1FE4BE473E6EB6E6F435B019B16E9C600D7C8F2DC00B2DB4A52B6A46F2C3B9FF3B88BE2EACFB44A60194D36365
      Malicious:false
      Reputation:low
      Preview: ......ELF........>...P...@....(8...,8.V...e..... .8..k...$....'...-.8y..0......p....#......h..$.<G..P.td.. 7%...d...18Q.....B..Rpj.........bx.F...GNU..Y.<....v*..hT=......%...cZ'N0..wa.&%....T......:@P8......C ..E..#..UaV..,.........R...h..a..A`..&...! v\....V..K.........H...T{P..(......1l.....*....D.9........$B.......]!..@....\.....~..P..D..xB@.d-.Q....i(.1....>..B.....@......P."....."(....@....V....p.{..@$.f....b!.pI.....*.(`...W....D...\.]&^.D`b.e#..f.g)h..i"jDlm.n.o$qHr.t)v,.x"zD{|.}.~$.H...".D......$.H...|(..V......H.y.......$.H...".D......$.H...).@..".D......$.J.$e.2....D...........$.H...".D...$D......%.2..$.H...".....s...(|...S..".d...H...".D......$!H#.%)&<.("*D+,..D-/.0L.2.4.5&7.D89.;.<$=H?.@0.B.D..E.dGLJ.L.M.O'S.<.fV!W.D[\.].^.$D`b.h.i$jHk.m!.nHo.r"sDvx.y.z..|.}.~..$.J. d.H...".D....R.h....).........D...........4.....L...............HY........$.H...".D......0..N...9.5_..Q.z.f/....1...A.H..0\......p..b..U.....0.}.R.M.{><$7u.5.t........s...[..S|%..3...x.*...k.!e..)?....D..-....<
      /home/user/.kde/.cfg/17C.dat
      Process:/tmp/udev2
      File Type:DOS executable (COM)
      Size (bytes):294
      Entropy (8bit):4.685865393269546
      Encrypted:false
      MD5:84124690409614DC462D4EA649DEC2C8
      SHA1:AFF61969D18DA47622DF1483A58E33E88688626E
      SHA-256:08F2E0C3242981F351C9C5419E1D1D32968F2E5B79925CC62D1690102CA4A6C1
      SHA-512:4C0154E4394BFE2A214DECEE980675C6E7B27B8B5527FFD7F133B9A7312E323EA4EA5C657A5CEB0B89A3BE050F94B12B92788966FFB5C2CCDE48E2C84B0A3E07
      Malicious:false
      Reputation:low
      Preview: .[....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..P..Z%....Z..Z.*.[.$..Z..5..Z..7..Z.....Z..Z.*.[.$..Z..5..Z..6..Z..>..Z..Z.*.[.$..Z..?..Z.....Z..J..Z%....Z..7..Z..Z.*.[.u..Z..9..Z....TZ../..Z..B..Z%....Z..;..Z..6..Z..V..Z.....Z..R..Z%....Z.....Z..Z..Z..j....
      /home/user/.kde/.cfg/19.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):97373
      Entropy (8bit):7.896742744236124
      Encrypted:false
      MD5:022444FC202EBF5B372D9B1B004698D5
      SHA1:CDF2870A74B7E6472DB72972C833CFDE9912AD47
      SHA-256:918C35D102DA88DCAA4A62F0372A1740E5E41B3F2A119C65620C9B1A0DFDE85F
      SHA-512:F9A43C7C4F3A5BE61751ED148C9311449A663B47D1E173B6E132E3A6A78DA83AE1A67C94C9A0C2658866D741DD16BD90AB87CD7CF9806D914D21CD3488157E35
      Malicious:false
      Reputation:low
      Preview: .:....ELF........>.......@....(8...,8.V......... 8..E..&..F$.|..c.-.<8..G.x...8..F......e.4.x.$..#..P.td.C ....^8,.F.8.Q.&:....R.p...x...N.Fx$..l.G8NU..wo.....}..6....?+?.8v"d.cV.N....a.$..j..b..T..@.8........ .......U ..,..H..........(..a.bs`c}&... >vX.B....J`....vj.I...PG.. .`....1~l..M.Z.....A ..I.....@.....tPc#6...z.....}.f....n.....%P.^..I..1(U...B.....2...@.. g...."(.....@..4R..>..X.@$.Fhp.RB..pI.!.r*.8"...V...D..N@DXY.[.]$.^.y_.`%a2.b$cHe.f"gDhj.lL$m..Dnq.r.t$uHw.y"|D......$.H...".S..........@R....y...$.H...".D......$.H...".D....LH.....$.H...".S.$).......$.J..d.H...".D......$.H...".D......$.H...".I.....G.).........A......".D...Y...........g..|..L....D....D...... "!S"."#D$%..S&.")e+..lh2.3..4..5.7.$.8":D?@..A.B$.C$DHG.I"KCL.N.P..Q.fR.eS.T2.U$VHW.X\.Y..DZ\.r..]..g_.`H.aHc.d%54.f..h.diLk.l..Dmo..RpH.q.r..s.t"vDxz.|.~$.@..0......_.Q.z.f./...1....A.H.0....pU......}..R.M{><$7.u.5t........s...[...S%..3....x.*..j.!.e...i...?DA...........zc'.................. ..:..F...s.`.Y"."f.)..n#..F.
      /home/user/.kde/.cfg/19C.dat
      Process:/tmp/udev2
      File Type:data
      Size (bytes):273
      Entropy (8bit):4.638982645254158
      Encrypted:false
      MD5:846797B2881EBF3FACDACB79A89F8B04
      SHA1:6D01E812169833213A41C661F4F9C012948525C9
      SHA-256:460D88B0A734B01EAB91D6E828E269459159D86485E6FA2770E839A5DB80E0FC
      SHA-512:E32FC2E5308BEABD237046ADA7116B14BC9D7E5D82A569B93C839CE332925C113B37C6799BF81E4AF901004B5D8345CB14723FC1D7583D33FD8EDCDD9001E295
      Malicious:false
      Reputation:low
      Preview: .[....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..P..Z%....Z..Z.*.[.$..Z..5..Z..7..Z.....Z..Z.*.[.$..Z..5..Z..6..Z..>..Z..Z.*.[.$..Z..?..Z.....Z..J..Z%....Z..7..Z..Z.*.[.u..Z..9..Z....TZ../..Z..B..Z%....Z..;..Z..6..Z..V..Z....UZ..R..Z%H..
      /home/user/.kde/.cfg/22.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):94841
      Entropy (8bit):7.907616731270398
      Encrypted:false
      MD5:AC2FFD13D25EFD37BC5D9B25618165B4
      SHA1:CA7497016720511EE7C5DF5B0559226FAF643939
      SHA-256:A265E3FF413B77686485A440A077D4DA5F6E34DA2C241F6561DDDD9B1653A66B
      SHA-512:A3264656FADD02514F14419722F8E5A85F2CD612883EDBA1AD2621AF8526CB5CF97D4FA8C1885E4C5C3A5983194C56D95A4F5404D9943C3606D4056E08F05954
      Malicious:false
      Reputation:low
      Preview: 0t....ELF........>....K..@....(8...,8.V.. ].....r8.".k..#.$c`..1....8G.#..GF....#hGn...e.4.x.$..#..P.td.<I%..c...m.8Q....u!.ER5pj..0......xH....GNpU.K.!..Pyv...#...'@...(..2..U$.H..Wm.....C_!.`$....T..A&.D v......u.. s.aQ.LDC.2..q\....`E.....*u.$.....R..w.H3.$."....(B..8.@..j..%....lDX.... ..@...$..t.hXl..VJW..XJY.d[H\.]"_D`d.e.g$iHk.m"pDtu.<Sv.#x.y/x"zS{.+..d.I.94...%.l$.....$.J..e.2..$.H...)....".D.......XS..".D......$.H...".R.8....)..y...9...$.r.$.H...".D......$.H...".D......$.H...".D......$.J.pe.|....z...Qe....c..^..............".....D.,.P.\cw`$!..W......?.L....0.')1@..U.0c(..A.B.m.(.....2..#(^iPD.,..G..Q....Z[1..A.)`H..=......E...e...$..`|`..9... ..W}p.~....I....P..0...x..z..c.!r...}..r...+.Q`.......?=.c...b..N........d!............~.gLh........K..X.O.zo..&@.M...u.N....On..V...;.........y..qX.[.1.......w..B...~.>..,;1...f...)...`...a#..".=.......6....x.i...?..v...... .!%......(i...8.fh.L......}o..u...k.......\...|.=..Z..s......5o:..yA....CE........v...^h.....7.....\).....+.K.....!
      /home/user/.kde/.cfg/22C.dat
      Process:/tmp/udev2
      File Type:data
      Size (bytes):496
      Entropy (8bit):4.878298422669574
      Encrypted:false
      MD5:5BA198356D1BE9DCF4188F2AE975DBF2
      SHA1:6A44D7C0569297E41C6C522D299143328CF12354
      SHA-256:60D92C4FA2EF4072535D50ECC4E7BCCBE08DC586E90E88E4AFC88ED17EB8796F
      SHA-512:3A891595AF00B017B0B7F853326EAD0DC095AABBE72801BC911ADDF2E4B9EE9D1D7573EA2553F68FCB87A61A31A15198963A9A19CB6FBD86F7CBC516CBB6A762
      Malicious:false
      Reputation:low
      Preview: Z[....TZM.Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..S..Z.....V..Z.....Z..V..Z..x..Z..V..Z..x..Z..S..Z.=...S..Z.2...V..Z.3...Z..V..Z..x..Z.....Z%....Z..7..Z..?..Z..3..Z..z..Z..5..Z%....Z..*..Z..)..Z$....Z.....Z%....Z..5..Z..?..Z%.<..Z..?..Z..".+Y..5..Z..6..Z..z..Z..(..Z..5..Z$.5..Z..(..Z$.9..Z..5..Z.....Z..?..Z..;..Z..6.+Y..5..Z../..Z..5..Z..Z.*g[....Z..9..Z..?..Z.....Z..8..Z..(..Z.....Z..8..Z..(..Z$.1..Z..8..Z$.9..Z..3..Z../.+Y..5..Z$.3..Z.....Z..5..Z..4..Z..V..Z.....Z..
      /home/user/.kde/.cfg/23.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):179568
      Entropy (8bit):7.930402053796992
      Encrypted:false
      MD5:ABDDE9E203E97325A3538A167B2D3EFE
      SHA1:9CDA82FFE3F18E8E7FF10AFF84483BAC3B5BADC7
      SHA-256:6B2205507C2A739DA01028F936561094FB649E71D44FD68949C2032B6E0070ED
      SHA-512:FCA5644A9B6939C644191CE8B739F87BBC3CAC84EFD4DA0F74BB67FDF695ED6F28F750299D094FE242566015374853C6ADCD59ED4134B743CBF6FFE689FCF66D
      Malicious:false
      Reputation:low
      Preview: ......ELF........>...@O..8R..(p8G.@,..Z.. ......8...8..L.*......Hn.8#..`.#.......7G..2....<.p$....P.td.#H.B...l..6.8EQ..:....R.p.......N.Fx$..l.G8NU...j.....RQ........}..;....>'N0...a.t......B.q.........@.o ..7..Q...d,"..|.........A.> .}`....PX.j..H.R..d0..@!*3Q....H...f.. .O`..@.....P.#Z.`.4...0.4...i@...7[....3d..^U..B....k..@...g....0!7..V,%.....V..bAp..X."...3.T.c...>...#A.B..D.E<.F.GK."HDIJ.L.N$PHU.X"ZD\^.`.a.8bL.c.d.e%f2.g.`Li0.j.Sk."lDnq.t.v$xH{.~66.p........).Pe.+d".S..".G.".G.).0d.H...2..$.H...".D......$.H...4...^S..)..d.J..e.,....D......$.H...".D......$.J.HY....4.........K.".G.)..d.H...".D......$.J.,e.2..9....xD......H...".D......$.H...".].M...........MW}p|q.w....m95.o:.........x....k.pL..yY........`...^.Q............@."(^0i.!...P......e.1....3...1.....H...+.Q.......x.i.?=....$.. t.....30..A..\cw.2../....O.?.t.N...z. .b.!.r..^.......7@~...#.."...1$..x/%..8.fh...t)..'..G).j......:v!`D...?...+.zo....U.B..Z[<3W.9...e..>.D..1....`.=h..v....Qe.......,..G@....s.C.E....2 .G.x...!.."
      /home/user/.kde/.cfg/23C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text, with LF, NEL line terminators
      Size (bytes):148
      Entropy (8bit):3.8846685903879883
      Encrypted:false
      MD5:C4D7AA3D9FC2A95049831DF568212C4B
      SHA1:49E6A73ED67EBEB25CDBFBE8BBDFE564D29E0D61
      SHA-256:C6D81C1AD1FB89F6F0677DE142662DE179F2357327534EE475F081A20D834239
      SHA-512:C68BF1A585F092B380669453785AF80E748EE2278B5FF0E11949EDDC844A29C8EC5055E3E96D8CE01B0A51CF3226DE34D963382B46CC05570F707233A0F78F3E
      Malicious:false
      Reputation:low
      Preview: >Z....TZ).Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.=...S..Z.2...V..Z.3...Z..
      /home/user/.kde/.cfg/24.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):155643
      Entropy (8bit):7.897760525497651
      Encrypted:false
      MD5:4C395C84CFB214386B4607831146DEF2
      SHA1:41A2BE327766FCBFD53B1CA445289637D33E1529
      SHA-256:53F2812D1700124ED4A09DCF874928E1E853A3B50A99FF87AC663FC7525ACB4B
      SHA-512:23F344CCFF2A231B44917EA04068E20B0F9EF29F26CE3C1F75E4762F99B5C00A668E0C941A7B198E4E5AF01520CDE4335D3352AD2B1B7DD46D371BF181E19D7E
      Malicious:false
      Reputation:low
      Preview: .4....ELF........>....V..@....(8...,8.V......... .8..x+I...'.\...P..O8#....#.........b....M...8$G...P.td..4....X....F8"Q....H.QRMpZ....f...#x..6...GNU..J...+..Q.o.....]u..v[.L..N.N....a.....U... ...!.....}.....*.O ...QP..C.,D...j..,..H<|..A@..........X...fH......@.k..x.h.3..+.of.. 9O...`...tPc#...94E..0$..s..v..*.l.p..1.Ad..FU..B....q...@.(........Gs,%......V&.A.p.;..."...#.T.......O.P&R.DST.U'X"WDXY..D\`.a.d$fHi.k"nDsv.w.x$zJ{<d}H~..i ........D.......".R. ....".D..........$.H...".D......$.H...\..$.H...".D......$.H...8..$.J......$.H...".D......$.H...".D......$.H...".D......n.d...H...".D....s.......".zA......Qe...@....^.(Q...!.......E" H7.....D.\c0w$!..W......?.L....0.&.,..e@@.Uc......(.)A!B..m......2...#(^iD..,.G...Q..H.^..Z[.0..A$lr.E.9G..H..=..I....@E;".#....e.1.....=v.U.B...$..e|`.....*.... ...W}p|..;....VZ.P.0.#......x....c..!r.0.}..r...+.Qy.f.a`......?.=.....J..2.c).b...N.?......d!............~.g.y..Rh...!.........K...`.z.o..&..M...u.N...O.n...d..V............qX.[.1.......w..B. .~
      /home/user/.kde/.cfg/24C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text, with LF, NEL line terminators
      Size (bytes):148
      Entropy (8bit):3.8846685903879883
      Encrypted:false
      MD5:AFA179073CECA62AEF5B1E60CE8C5294
      SHA1:F9359EA5C390FC5DBB95B88B83FA0B6F3A9AD030
      SHA-256:60E90EB97CE6CC9C365E00A9B76C4A20557EF6268543C2D12F6D569AFBBE2BD6
      SHA-512:7D084401D2FD9528C10AE8C2AFE916EE8B540FE802C159C5DCCD0B4CDBDC446946E12723B73AE4E6EB15FE591FD3D2A4C9AD88357F93033414A4CE886D8D92FE
      Malicious:false
      Reputation:low
      Preview: >Z....TZ).Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.....V..Z.....Z..V..Z.....Z..S..Z.=...S..Z.2...V..Z.3...Z..
      /home/user/.kde/.cfg/27.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):136293
      Entropy (8bit):7.892721368390249
      Encrypted:false
      MD5:5EFEA797FAB6D41B13A7C43479B57FA7
      SHA1:AFEBBF20D9DCF4E6B34CB6F0C71713E332C192DC
      SHA-256:A3BA4E9224EB3AC3A6F4D97C326EA2F143C14F840C41AE71D6A3AD9A41B9A1B8
      SHA-512:25C2170C426DAAF7906A321A03590E8C04EDC839728F4141609FB3D752C2FCBB9E54C1D8F93EE7A9B8F91DD61A798DAC27F7FF4AE4DA863DF08255D834656626
      Malicious:false
      Reputation:low
      Preview: ......ELF........>...@b..8R..(p8G.@,..Z......... 8..E..&..F%.(..c...<8..#..2.%68..F......e.4.x.$..#..P.td.F.....c<..m.8Q.C&....)Rp..P.......bx.F...GNU. \_.b.m..u>.2...N....,....V'NRc.uA.......l....O....H.."...`@D.Y!..c.z...H.....n.|..a..0._8@..WN...D..7I...'.\.@...`...q..........<B. 0UH...@....`.pU!.....D...0$.?.r;.@.. <........lQd.w..`....B.j.._h..H.l...F.....j.. ...B>...`$.F.6.U..*p....."h.[..T.+.V..W..Y.Z..#[.\.]K."^D_`.b.e$iHj.o"qDst.v.w%z2<{..|.}%.2..%.,d..........%.,$.....$.H...".G.".D......$.J. d...".D....D....D...........$.......2..9....D....7.@..........XY.K.".V.x....".S..".D....D......$.J..d.H...)..y.......$.H........".D......%.2$.....t..........|..2!...%.2.......)............L....L.!.........b...}p.|qw..5o:.....x7(y.%.......=S..*...M<...s......C.O..)^.Q.........V[..|).."..."(^i.........o3..9.!.......'.....+.Q.v~0..!..p......x..i.?=.0z.Y...$..!...7...0...A.\cw.2...k]..`V....u....r....../.....1.KB.U.i.x...!r...^.........."..R...,)....E8.fh...%.L._...6).j.......v!..4...?...+..N
      /home/user/.kde/.cfg/27C.dat
      Process:/tmp/udev2
      File Type:data
      Size (bytes):153
      Entropy (8bit):4.121042231247292
      Encrypted:false
      MD5:616BFC08B0A8C73846FB6B5DC4AA840B
      SHA1:F84BB5734E256FB0441EE237158F0924327C81E3
      SHA-256:5268CAA6453A301209BD10DC394644B694BAF54340B8573FB94BE51C6B930E1A
      SHA-512:422AB48BF97C3BB57BA91CA842D37B15DA3FF1D4251CE3DCFAEE7A2384AAD42ADF163B0325663AE7985774A4E40766881908593F8C5743415C09C1B8B0395CF3
      Malicious:false
      Reputation:low
      Preview: 3Z....TZ4.Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z....UZ..R..Z%....Z.....Z..z..Z..j..Z..Z..j..Z..Z..j..Z..Z..j..Z..Z.....Z....
      /home/user/.kde/.cfg/28.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):83766
      Entropy (8bit):7.902114645846429
      Encrypted:false
      MD5:DB14A2E982A6E3F5F2B8A070868A6392
      SHA1:ECC1AC08DC3D218174211052FE4F40128F00DC95
      SHA-256:21263FDCD33591E3907C61841EBC2BEECC81EBC8BA1749C14B3DEA246DC7E5FF
      SHA-512:D970C8FCE868C7440CF3095F98D2156329654714167A797F616059EC8778DC487FC6BA1C4C9021EB7AD2B528C8796C2F9F097F097C02AB899100AEF99494C7B4
      Malicious:false
      Reputation:low
      Preview: .u....ELF........>...P]..@....(8...,8.V..pg..... .8.....#.#b...l...8G..`l..#....#g....2....<.p$....P.td.#.LB......6.8EQ..:....R.p...`...N.Fx$..l.G8NU.....D|:.t%u....O.M...C....X'N0..uA...S.E{........B.@$ ..."..QD.3.l...h..r.X.<.a=....u.0.U.......l..L.........@....0..d$.*.P....0.. NH....@....!XU#....2<D.u.d...!.e...&...(.Ad.D......R....#k...H.Q{.3.l....."V..$*P..w.2.F......ph...*.].V\........I...^#`.b2e.f..h.n$oHq.s"uDwy.}.~.,.L...H....$.L........ D......$.H...).(d.H...".D......$.H...".S.8)....".D....L...d..".D......$.H...(....".D....... ...$.H...".D......$.H...".D...DD.......,.F..D......$.H...r%.......D.....zY..i.......a...7Qe...0)....l.....@_.Q..v,.. .....h......"....@DF3........\cw$.)..W......?.L....0.'.@....&[..D..).!B.m....2...#(^iD_.,.G..Q....Z[1..}A.)H...=..;".#....e~+....h.R...........$..e|...o......`a...W}p|Z.C..4"+.H.uq..... .C..P...J#.....x....c..!r.*,u.0..}... .+.Q..Mf.`.......?=.c...b...........d!................~.f.)....y-...h........K....~.zo..&..M....w.:..k........On..V.
      /home/user/.kde/.cfg/28C.dat
      Process:/tmp/udev2
      File Type:Non-ISO extended-ASCII text, with LF, NEL line terminators
      Size (bytes):121
      Entropy (8bit):3.983970525241234
      Encrypted:false
      MD5:D467056AA0AFE85D5F4C0AADD9779BC7
      SHA1:E6EB7CFDB21F3660C119BB2DA84557195EAD48D9
      SHA-256:B7555070E8637C43AAE7DEE908FA51994C21130972D86E6A9689A911CBDD3480
      SHA-512:0429C15DA6D5F6EE4C4BDD8626C0EB09989A67D8FFE361C29714F2BCA767E8FC19D9E09F65274489766AE045B2BA9992F2B3A9B612213F90E2B2D13FDEE01129
      Malicious:false
      Reputation:low
      Preview: .Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..S..Z..r..S..Z..r..V..Z..r..[..S..Z..r..S..Z..r..
      /home/user/.kde/.cfg/29.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):79889
      Entropy (8bit):7.887368868933333
      Encrypted:false
      MD5:1B3E921BB718A6F1B09418474799F04F
      SHA1:0F69F8AA23907650BCBE4584A2C3F29AC9991239
      SHA-256:02917AF32EB15DC810B2C046049179BD5B6C429FA1989E94436930EF35F39667
      SHA-512:817A564E8F6E73184B497B9D5910F4EB25E496CE39D2DB57F754EE513EA25377C069B48E8AFC07C0D43228AE33099C2ECB32E91D1E340B3D6528B26071A6EFAA
      Malicious:false
      Reputation:low
      Preview: .v....ELF........>....o..@....(8...,8.V..|]..... .8...l&..F#...3...<8..Ghx...8..F......e.4.x.$..#..P.td.FX>...c...m.8Q....u!.ER5pj.........xH....GNpU..C.%M..)...\.a.U..h....2..NNN`..uA..8..$._.@.....w.y.= ...g ..U-..f,..............a!b..u?..W.~................P#..!.&....0l....*.....= ..IgH..@......PU!6...TL`..$|.m....w..P.%P...@^.1.GU...B.......f.F.'..."n(L.....4R..>..2..$.Fh....'v*I..{"...@.V...DH...P.Q2R.SNPST."UHV..WO..Y"[d\.]H_.`"dDeh.i.k$lJn8dpHq.r"tRuT.v.x"yDz}.0y~K.".D......%.2.......$.H...).De.+d".G.".R.....d.H...".S..".S..".D......$.H...".D...0D....L....L....D.........$.H...".S..)........".D....D......O........J..d.H.......d.H...).........r.%.2..............S..".S..".G.".D.......".D...$S!.""....j.........W}p|...b.qw..5o:..OW.....x.........,.y..7#.........^..Q..........X...^i.!......)....S....2.}.!,.U.z.)..+.Q..O.......x.......i....;.....?=...$.q7..M0..A.\.cw....O...R.2.......yBY$........;/.z... ...z..Z..Sb.!.rv7.p..^...) .........."..@.!...18.fh...%)&...Cv.....X(.....Fj.......
      /home/user/.kde/.cfg/29C.dat
      Process:/tmp/udev2
      File Type:data
      Size (bytes):111
      Entropy (8bit):4.128518324538023
      Encrypted:false
      MD5:041DB353B571E867EC295E1225A565CD
      SHA1:44BABA85667816BBBF2ECC3F120BDF62F1887FEB
      SHA-256:28FF514D741360922ADEFEC84BC98EDCC19485B1B39646178DA60EC36F1084B6
      SHA-512:FCD6E16E1DC6642D2E401EAD6E30D85802A27FE6E9BD2BBE2FD909D6649F3521007C7099CAF07D8BFF68FEDCF7E79BCDA6F7963566786409FB4B30ECC58B78D6
      Malicious:false
      Reputation:low
      Preview: .Z....TZ..Z..k..V..Z.....Z..V..Z.....Z..V..Z....._..S..Z.....V..Z.....Z..V..Z.....Z..R..Z%....Z..j..Z..Z..j.)..
      /home/user/.kde/.cfg/7f.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):126399
      Entropy (8bit):7.940058731218218
      Encrypted:false
      MD5:C8A521E783491FBA15EB5D52DA1CE71C
      SHA1:C20B763354F39DD97157A19DC993118C8920405D
      SHA-256:F68A1F6FA9D048F1BA8EB64046C4C6A8D30EC7C53387C5080B0133DF86EBE7CE
      SHA-512:A718AFA98AC1E3501534BE9B3BAAE1ED1D8357EBE07A2C90260E01B3D45E59E946044FD528894B62863B45AAB42E8AD33EF45A791750AECF0009B63873BFD268
      Malicious:false
      Reputation:low
      Preview: ......ELF........>...@u..8R..(p8G.@,..Z..t...... 8..E..&..F$.0.3/).<8..G.x...8..F......e.4.x.$..#..P.td.<.%..cD..m.8Q.C&....)Rp..Px......bx.F...GNU..g..xb..As1...m%.....B...c.'N0..%.....(..0...(...!...6.D@r.qA..`..!s..5..!(..H4).....N80A..U.:...... ...w...LD..AgHBB......$..@..........C...(`...D.....T.v4......&.......2hK..I.............$..$.C.L.....".Bp...9.,.......M.Gb:..T....J.......M.....#....( ....f..0.c......$(.... .......$..L...6v..!..#$%.^R&..*.+H../"1D45.6.:$;H<.=,?h.BHC.DP.E9I.J%K,.L.DMP.xI.H..DSU.V.W..YL.[._.`$aHc.e..g.h)i..k"mDoq.rb...u.v$w...y.{2}.~%.2........0D......$.H...".D......%.28.%.,H...L..........$.J..^D....R......)..e.2..9...$.H...)....+.ld.H...".D....c.B.8.C......D...P..)....#...".D....D......%.2..$.H.../ ".G.".R......".D...D...Ld.J......$.H...K...R.g....8...!......D...$S..".d...H...".D......y..Hv{db.....Gs....?.@OEtp....m..o.]...9.O.+.Y.qH..0[W.z.....D.-_Cy... ...a.P8.)..w..i....c...SO.C.e..5..~...:X..w...'......B........D.;a............c.......\./.]..Q....M.N.!.)
      /home/user/.kde/.cfg/7fC.dat
      Process:/tmp/udev2
      File Type:Sendmail frozen configuration - version \001\001
      Size (bytes):2403
      Entropy (8bit):7.864122365732561
      Encrypted:false
      MD5:7AD1D560E7089BB33F03081729B29DC0
      SHA1:4E24F2C656CA98D5337D893DDC23B58FD6FC56AB
      SHA-256:8EF61F6B2EB040061C132CF2A483E35D6B68721AF36C667469CE75FF854B3D17
      SHA-512:BB28405A52EDCD796B52D27AD5684DB0177576F6A333DAFECA3760F7595BB0161F2EE352857C268683681704AC80FACEDC73F31410DAEB0F1492E2F70B2C11C8
      Malicious:false
      Reputation:low
      Preview: &.0.."0...*.H.............0.........{e..r.+..R..Sf..t....{..Yw.v..S.M.5>3.Y../')..P.-],.Q.x@wf............i.........[fr...q.}|.....(.A..$..Qg[t..svo9...]:>............F =.B%._......T...i..FTE[MI...........z...k......5}j..DI@#KG..&.U+..R.........~..A..%0..W5+.N[........t$...KL.qh.....8.....w.....&.0.."0...*.H.............0............s.e.D.<I.;myI..M8.f..J"......r.x..M.....I.O.2S......h........n0t}.4.........ngp..*\..........hP.w2;..H.|;.'.4bA..;eZ..xh=._.....u..5..D[R.XW.-..az....M.......I......O.B_.R...V{u...}f.@..M.Zv...mr]....I.)..+Z..y..Pb.......l?....u.......H.."J......,I.8.......@.0..<....A......5A...A..EU.&U..e...nE.@z...J....7|.$...1c.D....b...Y...W.^.......@d_.|...|.+N.u.'...L.......2<hCu......F...*q...Q.B.o~.S.16.v...@Y.!...$6.[.q.xq.YBv.s...e....~v....#.!...j.7#^.J....c....f..d.yW.Z).....!..g.~.~....n....]...)..w...A9.D2..!..MA.).5>WZ.w.`...P..'...#..A.`.5.!.......M.2.Z....^f.?...#Sh9.EN=....0............dh.|....K$.......5..R.#G.o.....=2$.w/5r...5.Bhxp. ...l...{h....1k..R..5
      /home/user/.kde/.cfg/80.so
      Process:/tmp/udev2
      File Type:data
      Size (bytes):338260
      Entropy (8bit):7.887084189664659
      Encrypted:false
      MD5:EBC0AF066FE69A5B5E7C13D0B9C1B15D
      SHA1:049DDF6FEACA31509AACFFD107CD2921110245CE
      SHA-256:CA63CFD9C7C286367790427D1550603946A8513181B38BD3C1EAC872ED415DE5
      SHA-512:CED5CAE4615E931F5B6A56252254ECB6AECB5773C68641BF1AF2D783F004D9F58F9314B95961344895661A11F89B111B598A8A13057BA9119AD8B14EF85CD187
      Malicious:false
      Reputation:low
      Preview: ......ELF........>...p...@....(8...,8.V..<...... .8..h..#.-bx../...8.G#..GF....#g....2....<.p$....P.td.#0.B......<..Q.q.C....)Rp..P.......bx.F...GNU.^......0J......q...,t..&.cIwN.......". ...G.t.yO..z..(..RZ.*`.A.i.8.P.c..., .....<..ch...J...A(......=...TX.@.....H.\"..,0..(....@a$ 5$.B2.|.....C.....*.,H..$o.r.:.Q.P.R.N?.X..O.......U...R.A....LE...!.lc.(.`v..R.)..H.. ..BIb.D...q..H.(......D....M.-.@%.. .&...)..p...>$fc..B..\.@.....y"zd|.}H...rX.%.2............%.2.......$.H........".D......$.H...".D...(..H......eT..,..........%.2.......$.H...".D......$.J.4d.H...".R.x...d.H...".D......$.H...<..$.V#.."..D......%........x....S..".d...H...""D%(.,..$4H5.7"9D<=.>.A.LB.D..t.E)F..H.I)J$.K.M..O"QDRS.U.V$YHZ.]"^D`b.d.f.Di[p)j.ekl.l.m..o"pDrs.$.t.v..y"|D~.....$.J.0f..d...J..d.H...+.|d....................e...2..$.H...P..2....%.3..2....$.J..d.H...@..$.H...>.K3.."..D..........St..V...^.Q.....`..T;g..f,........!h~[.p...U.....Q.]..........0..}.7....KL.6...cu.5....zj...[....J..(%..3....B...xt6.k.5:.]....
      /home/user/.kde/.cfg/80C.dat
      Process:kthreadd
      File Type:data
      Size (bytes):5197
      Entropy (8bit):3.92137070723419
      Encrypted:false
      MD5:9DC97010D28FC047AE91277EB3A7FAC5
      SHA1:67D43B88D9B9D280F82ECE672032865EEDFF2A99
      SHA-256:9F4FB1E43306518BD2B0FD927300D6C081B1BD204CAE410E4595EF804EDF4009
      SHA-512:2B6FF04D8C6B586CB24CB525B69316AD82E7F0DDF67463E108B61B9C6EC