Linux Analysis Report
hwLFomKm8k

Overview

General Information

Sample Name: hwLFomKm8k
Analysis ID: 635041
MD5: 038da709550f5fa2fb58077767bce04b
SHA1: 62c70c834e0a65db09099aa1d2b465244222816f
SHA256: 9e35c0b5c812027d6698b662bb771ada7c1d40cf04050f450feebcbbdbff6b9a
Tags: 32elfmips
Infos:

Detection

Mirai
Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Yara detected Mirai
Sample deletes itself
Sample is packed with UPX
Deletes security-related log files
Opens /proc/net/* files useful for finding connected devices and routers
Executes the "kill" or "pkill" command typically used to terminate processes
Sample contains only a LOAD segment without any section mappings
Reads CPU information from /sys indicative of miner or evasive malware
Yara signature match
Deletes log files
Uses the "uname" system call to query kernel version information (possible evasion)
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Executes the "rm" command used to delete files or directories

Classification

Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6265) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6272) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6275) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior

Spreading
barindex
Opens /proc/net/* files useful for finding connected devices and routers
Source: /tmp/hwLFomKm8k (PID: 6234) Opens: /proc/net/route Jump to behavior
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: hwLFomKm8k String found in binary or memory: http://upx.sf.net
Sample contains only a LOAD segment without any section mappings
Source: LOAD without section mappings Program segment: 0x100000
Yara signature match
Source: hwLFomKm8k, type: SAMPLE Matched rule: SUSP_ELF_LNX_UPX_Compressed_File date = 2018-12-12, author = Florian Roth, description = Detects a suspicious ELF binary with UPX compression, reference = Internal Research, score = 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4
Source: classification engine Classification label: mal64.spre.troj.evad.lin@0/1@0/0

Data Obfuscation
barindex
Sample is packed with UPX
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample String containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /bin/sh (PID: 6265) Pkill executable: /usr/bin/pkill -> pkill -9 busybox Jump to behavior
Source: /bin/sh (PID: 6272) Pkill executable: /usr/bin/pkill -> pkill -9 perl Jump to behavior
Source: /bin/sh (PID: 6275) Pkill executable: /usr/bin/pkill -> pkill -9 python Jump to behavior
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1582/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1582/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/3088/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/3088/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1579/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1579/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1699/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1699/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1335/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1335/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1698/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1698/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1334/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1334/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1576/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1576/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/2302/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/2302/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/910/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/910/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6227/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6227/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/912/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/912/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/2307/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/2307/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/918/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/918/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6240/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6240/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6244/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6244/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6246/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/6246/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1594/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1594/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1349/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1349/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 6265) File opened: /proc/2/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /tmp/hwLFomKm8k (PID: 6242) Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6254) Shell command executed: sh -c "rm -rf /var/log/wtmp" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6257) Shell command executed: sh -c "rm -rf /tmp/*" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6260) Shell command executed: sh -c "rm -rf /bin/netstat" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6263) Shell command executed: sh -c "pkill -9 busybox" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6270) Shell command executed: sh -c "pkill -9 perl" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6273) Shell command executed: sh -c "pkill -9 python" Jump to behavior
Source: /tmp/hwLFomKm8k (PID: 6278) Shell command executed: sh -c "iptables -A INPUT -j DROP" Jump to behavior
Executes the "rm" command used to delete files or directories
Source: /bin/sh (PID: 6245) Rm executable: /usr/bin/rm -> rm -rf /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/hsperfdata_root /tmp/hwLFomKm8k /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf Jump to behavior
Source: /bin/sh (PID: 6256) Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp Jump to behavior
Source: /bin/sh (PID: 6259) Rm executable: /usr/bin/rm -> rm -rf /tmp/* Jump to behavior
Source: /bin/sh (PID: 6262) Rm executable: /usr/bin/rm -> rm -rf /bin/netstat Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /usr/bin/rm (PID: 6245) File: /tmp/hwLFomKm8k Jump to behavior

Malware Analysis System Evasion
barindex
Deletes security-related log files
Source: /usr/bin/rm (PID: 6256) Truncated file: /var/log/wtmp Jump to behavior
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6265) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6272) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6275) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Deletes log files
Source: /usr/bin/rm (PID: 6256) Truncated file: /var/log/wtmp Jump to behavior
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/hwLFomKm8k (PID: 6234) Queries kernel information via 'uname': Jump to behavior
Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/mips
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp Binary or memory string: /usr/bin/qemu-mips
Source: hwLFomKm8k, 6234.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6236.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp, hwLFomKm8k, 6238.1.00000000e5b0d7d9.00000000bea2d181.rw-.sdmp Binary or memory string: 2U%V!/etc/qemu-binfmt/mips
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp Binary or memory string: R%V/tmp/qemu-open.WSG3Jy\
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6236.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp, hwLFomKm8k, 6238.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp Binary or memory string: |x86_64/usr/bin/qemu-mips/tmp/hwLFomKm8kSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hwLFomKm8k
Source: hwLFomKm8k, 6234.1.0000000006c5c63c.000000008ff4f6cb.rw-.sdmp Binary or memory string: /tmp/qemu-open.WSG3Jy

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: 6238.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6236.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY
Source: Yara match File source: 6234.1.0000000087779f1c.0000000053d66254.r-x.sdmp, type: MEMORY

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.245.210.119
 unknown United States
36352 AS-COLOCROSSINGUS false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false