Play interactive tour

Edit tour

Linux Analysis Report test

Overview

General Information

Sample Name:	test
Analysis ID:	554658
MD5:	d20e3e491d242d649c3fcf4879f2cbf2
SHA1:	681406d197c6de50bc611bb466c012f0cd9b4aa6
SHA256:	f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876
Tags:	elfXorddos
Infos:

Detection

XorDDoS

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Antivirus detection for dropped file

Yara detected XorDDoS Bot

Sample tries to persist itself using System V runlevels

Writes identical ELF files to multiple locations

Machine Learning detection for dropped file

Sample tries to persist itself using cron

Drops files in suspicious directories

Sample deletes itself

Machine Learning detection for sample

Uses dynamic DNS services

Writes ELF files to disk

PID-file does not contain an ASCII number

Writes shell script files to disk

Reads system information from the proc file system

Uses the "uname" system call to query kernel version information (possible evasion)

Executes the "systemctl" command used for controlling the systemd system and service manager

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Executes commands using a shell command-line interpreter

Reads CPU information from /proc indicative of miner or evasive malware

Writes shell script file to disk with an unusual file extension

Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	554658
Start date:	18.01.2022
Start time:	07:46:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	test
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal100.troj.evad.lin@0/20@1/0
Warnings:	Show All VT rate limit hit for: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Axlkat

Process Tree

system is lnxubuntu20

test (PID: 5222, Parent: 5116, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /tmp/test

test New Fork (PID: 5223, Parent: 5222)

test New Fork (PID: 5224, Parent: 5223)

test New Fork (PID: 5225, Parent: 5224)

lqzpnnvgqq (PID: 5225, Parent: 5224, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/lqzpnnvgqq

lqzpnnvgqq New Fork (PID: 5226, Parent: 5225)

lqzpnnvgqq New Fork (PID: 5227, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5228, Parent: 5227)

lqzpnnvgqq New Fork (PID: 5229, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5230, Parent: 5229)

update-rc.d (PID: 5230, Parent: 1860, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: update-rc.d lqzpnnvgqq defaults

update-rc.d New Fork (PID: 5235, Parent: 5230)

systemctl (PID: 5235, Parent: 5230, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

lqzpnnvgqq New Fork (PID: 5231, Parent: 5226)

sh (PID: 5231, Parent: 5226, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"

sh New Fork (PID: 5232, Parent: 5231)

sed (PID: 5232, Parent: 5231, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -i /\\/etc\\/cron.hourly\\/cron.sh/d /etc/crontab

lqzpnnvgqq New Fork (PID: 5252, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5253, Parent: 5252)

cmltpcveev (PID: 5253, Parent: 5252, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/cmltpcveev pwd 5226

cmltpcveev New Fork (PID: 5254, Parent: 5253)

lqzpnnvgqq New Fork (PID: 5259, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5260, Parent: 5259)

ydvgqptufg (PID: 5260, Parent: 5259, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/ydvgqptufg "ls -la" 5226

ydvgqptufg New Fork (PID: 5261, Parent: 5260)

lqzpnnvgqq New Fork (PID: 5264, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5265, Parent: 5264)

qmdgzglfzw (PID: 5265, Parent: 5264, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/qmdgzglfzw "cat resolv.conf" 5226

qmdgzglfzw New Fork (PID: 5266, Parent: 5265)

lqzpnnvgqq New Fork (PID: 5270, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5271, Parent: 5270)

fqimirdumn (PID: 5271, Parent: 5270, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/fqimirdumn top 5226

fqimirdumn New Fork (PID: 5272, Parent: 5271)

lqzpnnvgqq New Fork (PID: 5275, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5276, Parent: 5275)

mpetjlbbrw (PID: 5276, Parent: 5275, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/mpetjlbbrw su 5226

mpetjlbbrw New Fork (PID: 5277, Parent: 5276)

lqzpnnvgqq New Fork (PID: 5280, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5281, Parent: 5280)

ikjjfxjdrw (PID: 5281, Parent: 5280, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/ikjjfxjdrw "cd /etc" 5226

ikjjfxjdrw New Fork (PID: 5282, Parent: 5281)

lqzpnnvgqq New Fork (PID: 5285, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5286, Parent: 5285)

laeuklbisl (PID: 5286, Parent: 5285, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/laeuklbisl who 5226

laeuklbisl New Fork (PID: 5287, Parent: 5286)

lqzpnnvgqq New Fork (PID: 5290, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5291, Parent: 5290)

reasemoxfd (PID: 5291, Parent: 5290, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/reasemoxfd top 5226

reasemoxfd New Fork (PID: 5292, Parent: 5291)

lqzpnnvgqq New Fork (PID: 5296, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5297, Parent: 5296)

dembkqdnnd (PID: 5297, Parent: 5296, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/dembkqdnnd "ps -ef" 5226

dembkqdnnd New Fork (PID: 5298, Parent: 5297)

lqzpnnvgqq New Fork (PID: 5305, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5306, Parent: 5305)

xlkatqzakt (PID: 5306, Parent: 5305, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/xlkatqzakt who 5226

xlkatqzakt New Fork (PID: 5307, Parent: 5306)

lqzpnnvgqq New Fork (PID: 5310, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5311, Parent: 5310)

uwjxivocaf (PID: 5311, Parent: 5310, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/uwjxivocaf "grep \"A\"" 5226

uwjxivocaf New Fork (PID: 5312, Parent: 5311)

lqzpnnvgqq New Fork (PID: 5315, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5316, Parent: 5315)

hrdgxiqezw (PID: 5316, Parent: 5315, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/hrdgxiqezw ls 5226

hrdgxiqezw New Fork (PID: 5317, Parent: 5316)

lqzpnnvgqq New Fork (PID: 5320, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5321, Parent: 5320)

bsnzgwmdyz (PID: 5321, Parent: 5320, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/bsnzgwmdyz "route -n" 5226

bsnzgwmdyz New Fork (PID: 5322, Parent: 5321)

lqzpnnvgqq New Fork (PID: 5325, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5326, Parent: 5325)

pgpndyvjry (PID: 5326, Parent: 5325, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/pgpndyvjry ifconfig 5226

pgpndyvjry New Fork (PID: 5327, Parent: 5326)

lqzpnnvgqq New Fork (PID: 5331, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5332, Parent: 5331)

lvhmzhponu (PID: 5332, Parent: 5331, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/lvhmzhponu id 5226

lvhmzhponu New Fork (PID: 5333, Parent: 5332)

lqzpnnvgqq New Fork (PID: 5336, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5337, Parent: 5336)

rlgxokxghy (PID: 5337, Parent: 5336, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/rlgxokxghy "ps -ef" 5226

rlgxokxghy New Fork (PID: 5338, Parent: 5337)

lqzpnnvgqq New Fork (PID: 5341, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5342, Parent: 5341)

tsaycfvlxl (PID: 5342, Parent: 5341, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/tsaycfvlxl "cd /etc" 5226

tsaycfvlxl New Fork (PID: 5343, Parent: 5342)

lqzpnnvgqq New Fork (PID: 5347, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5348, Parent: 5347)

crjtcddcvs (PID: 5348, Parent: 5347, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/crjtcddcvs bash 5226

crjtcddcvs New Fork (PID: 5349, Parent: 5348)

lqzpnnvgqq New Fork (PID: 5352, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5353, Parent: 5352)

vypsjwtnwx (PID: 5353, Parent: 5352, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/vypsjwtnwx ls 5226

vypsjwtnwx New Fork (PID: 5354, Parent: 5353)

lqzpnnvgqq New Fork (PID: 5357, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5358, Parent: 5357)

wkgsskqrhz (PID: 5358, Parent: 5357, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/wkgsskqrhz "route -n" 5226

wkgsskqrhz New Fork (PID: 5359, Parent: 5358)

lqzpnnvgqq New Fork (PID: 5365, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5366, Parent: 5365)

breklnwkhg (PID: 5366, Parent: 5365, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/breklnwkhg "sleep 1" 5226

breklnwkhg New Fork (PID: 5367, Parent: 5366)

lqzpnnvgqq New Fork (PID: 5370, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5371, Parent: 5370)

wsgrxxhjuz (PID: 5371, Parent: 5370, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/wsgrxxhjuz ls 5226

wsgrxxhjuz New Fork (PID: 5372, Parent: 5371)

lqzpnnvgqq New Fork (PID: 5375, Parent: 5226)

lqzpnnvgqq New Fork (PID: 5376, Parent: 5375)

myeasimsce (PID: 5376, Parent: 5375, MD5: d20e3e491d242d649c3fcf4879f2cbf2) Arguments: /boot/myeasimsce top 5226

myeasimsce New Fork (PID: 5377, Parent: 5376)

systemd New Fork (PID: 5237, Parent: 5236)

snapd-env-generator (PID: 5237, Parent: 5236, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
test	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security

Dropped Files

Source	Rule	Description	Author
/boot/ikjjfxjdrw	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/cmltpcveev	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/qmdgzglfzw	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/laeuklbisl	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/fqimirdumn	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/dembkqdnnd	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/reasemoxfd	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/hrdgxiqezw	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/ydvgqptufg	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/lqzpnnvgqq	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/xlkatqzakt	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/uwjxivocaf	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/boot/mpetjlbbrw	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
/usr/lib/udev/udev	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Click to see the 9 entries

Memory Dumps

Source	Rule	Description	Author
5223.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5252.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5357.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5228.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5370.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5291.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5342.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5222.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5287.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5227.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5296.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5224.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5264.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5333.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5270.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5327.1.00000000c965a2ea.000000003ec9bb06.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5275.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5333.1.0000000096d19dfa.00000000dfb96f82.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5225.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5277.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5290.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5277.1.00000000c2e9e40a.00000000c08dd338.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5298.1.000000004569d7d3.00000000bf141fbb.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5285.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5261.1.000000009d03549e.000000002f4af846.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5341.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5254.1.00000000432d7b8b.0000000014b575d5.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5287.1.000000001edec9d1.00000000b047c44a.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5281.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5271.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5315.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5317.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5306.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5376.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5338.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5317.1.0000000072be379b.00000000d301ab53.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5326.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5343.1.000000003d3d9107.000000007cf3594d.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5338.1.000000006da67978.000000007b42d8dc.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5266.1.000000005bbe83f8.0000000038d9bc4a.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5375.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5280.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5352.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5305.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5349.1.00000000a7c9cb17.000000004d5dc2f2.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5347.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5282.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5312.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5310.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5371.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5367.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5327.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5325.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5322.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5260.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5320.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5349.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5354.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5331.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5367.1.00000000ecd66f4d.000000000a561b6e.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5353.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5336.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5321.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5312.1.000000007d2f9f03.00000000f6c50af9.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5265.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5343.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5298.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5311.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5348.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5372.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5316.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5366.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5322.1.00000000867d8b2e.00000000432d7b8b.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5286.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5292.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5254.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5229.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5372.1.000000005e3cca46.00000000af07bbf9.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5266.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5292.1.00000000f6284656.00000000d8f8f07d.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5365.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5276.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5253.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5358.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5359.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5272.1.000000005be63ee0.00000000dd24ca1e.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5261.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5297.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5259.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5272.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5307.1.000000004bd9dab3.00000000b446d71d.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5337.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5282.1.00000000e9c9304b.00000000cd5a9209.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5354.1.000000005e3cca46.00000000af07bbf9.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5332.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5307.1.000000001a887bdc.00000000bcdea012.r-x.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
5359.1.000000003eaeccda.00000000546d7a6a.rw-.sdmp	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: test PID: 5222	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: test PID: 5223	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: test PID: 5224	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: test PID: 5225	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5225	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5227	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5228	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5229	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5252	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5253	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: cmltpcveev PID: 5253	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: cmltpcveev PID: 5254	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5259	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5260	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: ydvgqptufg PID: 5260	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: ydvgqptufg PID: 5261	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5264	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5265	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: qmdgzglfzw PID: 5265	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: qmdgzglfzw PID: 5266	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5270	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5271	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: fqimirdumn PID: 5271	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: fqimirdumn PID: 5272	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5275	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5276	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: mpetjlbbrw PID: 5276	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: mpetjlbbrw PID: 5277	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5280	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5281	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: ikjjfxjdrw PID: 5281	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: ikjjfxjdrw PID: 5282	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5285	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5286	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: laeuklbisl PID: 5286	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: laeuklbisl PID: 5287	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5290	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5291	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: reasemoxfd PID: 5291	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: reasemoxfd PID: 5292	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5296	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5297	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: dembkqdnnd PID: 5297	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: dembkqdnnd PID: 5298	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5305	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5306	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xlkatqzakt PID: 5306	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: xlkatqzakt PID: 5307	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5310	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5311	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: uwjxivocaf PID: 5311	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: uwjxivocaf PID: 5312	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5315	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5316	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: hrdgxiqezw PID: 5316	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: hrdgxiqezw PID: 5317	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5320	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5321	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: bsnzgwmdyz PID: 5321	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: bsnzgwmdyz PID: 5322	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5325	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5326	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: pgpndyvjry PID: 5326	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: pgpndyvjry PID: 5327	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5331	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5332	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lvhmzhponu PID: 5332	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lvhmzhponu PID: 5333	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5336	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Process Memory Space: lqzpnnvgqq PID: 5337	JoeSecurity_XorDDoS	Yara detected XorDDoS Bot	Joe Security
Click to see the 162 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: test

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: test	Virustotal: Detection: 62%	Perma Link
Source: test	Metadefender: Detection: 62%	Perma Link
Source: test	ReversingLabs: Detection: 73%

Antivirus detection for dropped file

Show sources

Source: /boot/mpetjlbbrw	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/dembkqdnnd	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /usr/lib/udev/udev	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/hrdgxiqezw	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/reasemoxfd	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/ikjjfxjdrw	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/qmdgzglfzw	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/ydvgqptufg	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/fqimirdumn	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/laeuklbisl	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/xlkatqzakt	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/cmltpcveev	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/lqzpnnvgqq	Avira: detection malicious, Label: LINUX/Xorddos.cona
Source: /boot/uwjxivocaf	Avira: detection malicious, Label: LINUX/Xorddos.cona

Machine Learning detection for dropped file

Show sources

Source: /boot/mpetjlbbrw	Joe Sandbox ML: detected
Source: /boot/dembkqdnnd	Joe Sandbox ML: detected
Source: /usr/lib/udev/udev	Joe Sandbox ML: detected
Source: /boot/hrdgxiqezw	Joe Sandbox ML: detected
Source: /boot/reasemoxfd	Joe Sandbox ML: detected
Source: /boot/ikjjfxjdrw	Joe Sandbox ML: detected
Source: /boot/qmdgzglfzw	Joe Sandbox ML: detected
Source: /boot/ydvgqptufg	Joe Sandbox ML: detected
Source: /boot/fqimirdumn	Joe Sandbox ML: detected
Source: /boot/laeuklbisl	Joe Sandbox ML: detected
Source: /boot/xlkatqzakt	Joe Sandbox ML: detected
Source: /boot/cmltpcveev	Joe Sandbox ML: detected
Source: /boot/lqzpnnvgqq	Joe Sandbox ML: detected
Source: /boot/uwjxivocaf	Joe Sandbox ML: detected
Source: /boot/bsnzgwmdyz	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: test

Joe Sandbox ML: detected

Source: /boot/lqzpnnvgqq (PID: 5226)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2020381 ET TROJAN DDoS.XOR Checkin 192.168.2.23:45048 -> 96.43.105.68:2897

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: aa369369.f3322.org

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443

Source: global traffic

TCP traffic: 192.168.2.23:45048 -> 96.43.105.68:2897

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114

Source: test, 5222.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5223.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5224.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5227.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5228.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5229.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5252.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5254.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, lqzpnnvgqq, 5259.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5261.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, lqzpnnvgqq, 5264.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5266.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, lqzpnnvgqq, 5270.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5272.1.000000004fef9a08.000000005ff51599.rw-.sdmp, lqzpnnvgqq, 5275.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5277.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, lqzpnnvgqq, 5280.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5282.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, lqzpnnvgqq, 5285.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5287.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, lqzpnnvgqq, 5290.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5292.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, lqzpnnvgqq, 5296.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5298.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, lqzpnnvgqq, 5305.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5307.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, lqzpnnvgqq, 5310.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5312.1.00000000acac5c18.000000002cce9625.rw-.sdmp, lqzpnnvgqq, 5315.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5317.1.000000001f32e955.000000008f40b429.rw-.sdmp, lqzpnnvgqq, 5320.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5322.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, lqzpnnvgqq, 5325.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5327.1.00000000333482a1.000000001173ccba.rw-.sdmp, lqzpnnvgqq, 5331.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5333.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lqzpnnvgqq, 5336.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5338.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, lqzpnnvgqq, 5341.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5343.1.00000000664d0328.0000000033783bde.rw-.sdmp, lqzpnnvgqq, 5347.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5349.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, lqzpnnvgqq, 5352.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5354.1.000000004ea8496c.000000003be361ea.rw-.sdmp, lqzpnnvgqq, 5357.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5359.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, lqzpnnvgqq, 5365.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5367.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, lqzpnnvgqq, 5370.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5372.1.000000006c288c8a.00000000989d045e.rw-.sdmp, lqzpnnvgqq, 5375.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp, myeasimsce, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar
Source: test, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5227.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5228.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5229.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5254.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, lqzpnnvgqq, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5261.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, lqzpnnvgqq, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5266.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, lqzpnnvgqq, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5272.1.000000004fef9a08.000000005ff51599.rw-.sdmp, lqzpnnvgqq, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5277.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, lqzpnnvgqq, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5282.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, lqzpnnvgqq, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5287.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, lqzpnnvgqq, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5292.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, lqzpnnvgqq, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5298.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, lqzpnnvgqq, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5307.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, lqzpnnvgqq, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5312.1.00000000acac5c18.000000002cce9625.rw-.sdmp, lqzpnnvgqq, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5317.1.000000001f32e955.000000008f40b429.rw-.sdmp, lqzpnnvgqq, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5322.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, lqzpnnvgqq, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5327.1.00000000333482a1.000000001173ccba.rw-.sdmp, lqzpnnvgqq, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5333.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lqzpnnvgqq, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5338.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, lqzpnnvgqq, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5343.1.00000000664d0328.0000000033783bde.rw-.sdmp, lqzpnnvgqq, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5349.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, lqzpnnvgqq, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5354.1.000000004ea8496c.000000003be361ea.rw-.sdmp, lqzpnnvgqq, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5359.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, lqzpnnvgqq, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5367.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, lqzpnnvgqq, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5372.1.000000006c288c8a.00000000989d045e.rw-.sdmp, lqzpnnvgqq, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp, myeasimsce, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/A/boot
Source: test, 5222.1.000000003b6085a0.00000000721a0005.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/A/tmp/
Source: lqzpnnvgqq, 5365.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Abrekl
Source: lqzpnnvgqq, 5320.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Absnzg
Source: lqzpnnvgqq, 5252.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Acmltp
Source: lqzpnnvgqq, 5347.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Acrjtc
Source: lqzpnnvgqq, 5296.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Adembk
Source: lqzpnnvgqq, 5270.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Afqimi
Source: lqzpnnvgqq, 5315.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Ahrdgx
Source: lqzpnnvgqq, 5280.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aikjjf
Source: lqzpnnvgqq, 5285.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alaeuk
Source: test, 5223.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5224.1.000000003b6085a0.00000000721a0005.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alqzpn
Source: lqzpnnvgqq, 5331.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alvhmz
Source: lqzpnnvgqq, 5275.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Ampetj
Source: lqzpnnvgqq, 5375.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Amyeas
Source: lqzpnnvgqq, 5325.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Apgpnd
Source: lqzpnnvgqq, 5264.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aqmdgz
Source: lqzpnnvgqq, 5290.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Arease
Source: lqzpnnvgqq, 5336.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Arlgxo
Source: lqzpnnvgqq, 5341.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Atsayc
Source: lqzpnnvgqq, 5310.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Auwjxi
Source: lqzpnnvgqq, 5352.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Avypsj
Source: lqzpnnvgqq, 5357.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Awkgss
Source: lqzpnnvgqq, 5370.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Awsgrx
Source: lqzpnnvgqq, 5305.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Axlkat
Source: lqzpnnvgqq, 5259.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	String found in binary or memory: http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aydvgq
Source: test, mpetjlbbrw.15.dr, dembkqdnnd.15.dr, udev.11.dr, hrdgxiqezw.15.dr, reasemoxfd.15.dr, ikjjfxjdrw.15.dr, qmdgzglfzw.15.dr, ydvgqptufg.15.dr, fqimirdumn.15.dr, laeuklbisl.15.dr, xlkatqzakt.15.dr, cmltpcveev.15.dr, lqzpnnvgqq.11.dr, uwjxivocaf.15.dr	String found in binary or memory: http://www.gnu.org/software/libc/bugs.html

Source: unknown

DNS traffic detected: queries for: aa369369.f3322.org

DDoS:

Yara detected XorDDoS Bot

Show sources

Source: Yara match	File source: test, type: SAMPLE
Source: Yara match	File source: 5223.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5252.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5357.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5370.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5291.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5342.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5222.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5287.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5227.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5296.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5264.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5333.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5270.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.00000000c965a2ea.000000003ec9bb06.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5275.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5333.1.0000000096d19dfa.00000000dfb96f82.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5290.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.00000000c2e9e40a.00000000c08dd338.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5298.1.000000004569d7d3.00000000bf141fbb.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5285.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5261.1.000000009d03549e.000000002f4af846.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5341.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5254.1.00000000432d7b8b.0000000014b575d5.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5287.1.000000001edec9d1.00000000b047c44a.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5281.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5271.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5315.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5317.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5306.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5376.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5338.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5317.1.0000000072be379b.00000000d301ab53.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5326.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5343.1.000000003d3d9107.000000007cf3594d.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5338.1.000000006da67978.000000007b42d8dc.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5266.1.000000005bbe83f8.0000000038d9bc4a.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5375.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5280.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5352.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5305.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5349.1.00000000a7c9cb17.000000004d5dc2f2.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5347.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5282.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5312.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5310.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5371.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5367.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5325.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5322.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5260.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5320.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5349.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5354.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5331.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5367.1.00000000ecd66f4d.000000000a561b6e.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5353.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5336.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5321.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5312.1.000000007d2f9f03.00000000f6c50af9.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5343.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5298.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5311.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5348.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5372.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5316.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5366.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5322.1.00000000867d8b2e.00000000432d7b8b.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5286.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5292.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5254.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5229.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5372.1.000000005e3cca46.00000000af07bbf9.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5266.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5292.1.00000000f6284656.00000000d8f8f07d.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5365.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5276.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5253.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5358.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5359.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5272.1.000000005be63ee0.00000000dd24ca1e.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5261.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5297.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5259.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5272.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5307.1.000000004bd9dab3.00000000b446d71d.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5337.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5282.1.00000000e9c9304b.00000000cd5a9209.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5354.1.000000005e3cca46.00000000af07bbf9.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5332.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5307.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5359.1.000000003eaeccda.00000000546d7a6a.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test PID: 5222, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: test PID: 5223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: test PID: 5224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: test PID: 5225, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5225, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5227, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5229, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5253, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmltpcveev PID: 5253, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmltpcveev PID: 5254, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5259, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ydvgqptufg PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ydvgqptufg PID: 5261, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5265, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qmdgzglfzw PID: 5265, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qmdgzglfzw PID: 5266, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5270, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5271, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fqimirdumn PID: 5271, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fqimirdumn PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5275, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpetjlbbrw PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpetjlbbrw PID: 5277, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5281, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ikjjfxjdrw PID: 5281, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ikjjfxjdrw PID: 5282, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5285, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5286, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: laeuklbisl PID: 5286, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: laeuklbisl PID: 5287, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5290, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5291, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reasemoxfd PID: 5291, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reasemoxfd PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5297, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dembkqdnnd PID: 5297, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dembkqdnnd PID: 5298, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5305, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5306, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xlkatqzakt PID: 5306, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xlkatqzakt PID: 5307, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5310, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5311, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uwjxivocaf PID: 5311, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uwjxivocaf PID: 5312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5315, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrdgxiqezw PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrdgxiqezw PID: 5317, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5321, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bsnzgwmdyz PID: 5321, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bsnzgwmdyz PID: 5322, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5325, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5326, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pgpndyvjry PID: 5326, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pgpndyvjry PID: 5327, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5331, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvhmzhponu PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvhmzhponu PID: 5333, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5337, type: MEMORYSTR
Source: Yara match	File source: /boot/ikjjfxjdrw, type: DROPPED
Source: Yara match	File source: /boot/cmltpcveev, type: DROPPED
Source: Yara match	File source: /boot/qmdgzglfzw, type: DROPPED
Source: Yara match	File source: /boot/laeuklbisl, type: DROPPED
Source: Yara match	File source: /boot/fqimirdumn, type: DROPPED
Source: Yara match	File source: /boot/dembkqdnnd, type: DROPPED
Source: Yara match	File source: /boot/reasemoxfd, type: DROPPED
Source: Yara match	File source: /boot/hrdgxiqezw, type: DROPPED
Source: Yara match	File source: /boot/ydvgqptufg, type: DROPPED
Source: Yara match	File source: /boot/lqzpnnvgqq, type: DROPPED
Source: Yara match	File source: /boot/xlkatqzakt, type: DROPPED
Source: Yara match	File source: /boot/uwjxivocaf, type: DROPPED
Source: Yara match	File source: /boot/mpetjlbbrw, type: DROPPED
Source: Yara match	File source: /usr/lib/udev/udev, type: DROPPED

Source: classification engine

Classification label: mal100.troj.evad.lin@0/20@1/0

Source: /boot/lqzpnnvgqq (PID: 5226)

/run/sftp.pid: uuqojokuzcdppnrsabvrmwadslwllbxh

Jump to behavior

Persistence and Installation Behavior:

Sample tries to persist itself using System V runlevels

Show sources

Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc1.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc2.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc3.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc4.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc5.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc.d/rc1.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc.d/rc2.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc.d/rc3.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc.d/rc4.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/rc.d/rc5.d/S90lqzpnnvgqq -> /etc/init.d/lqzpnnvgqq	Jump to behavior

Writes identical ELF files to multiple locations

Show sources

Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/xlkatqzakt	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/uwjxivocaf	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/fqimirdumn	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/ikjjfxjdrw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/ydvgqptufg	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/dembkqdnnd	Jump to dropped file
Source: /tmp/test (PID: 5223)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/lqzpnnvgqq	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/cmltpcveev	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/laeuklbisl	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/hrdgxiqezw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/mpetjlbbrw	Jump to dropped file
Source: /tmp/test (PID: 5223)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /usr/lib/udev/udev	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/qmdgzglfzw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File with SHA-256 F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876 written: /boot/reasemoxfd	Jump to dropped file

Sample tries to persist itself using cron

Show sources

Source: /boot/lqzpnnvgqq (PID: 5226)	File: /etc/cron.hourly/cron.sh	Jump to behavior
Source: /bin/sh (PID: 5231)	File: /etc/crontab	Jump to behavior
Source: /bin/sed (PID: 5232)	File: /etc/crontab	Jump to behavior

Source: /tmp/test (PID: 5223)	File written: /usr/lib/udev/udev	Jump to dropped file
Source: /tmp/test (PID: 5223)	File written: /boot/lqzpnnvgqq	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/cmltpcveev	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/ydvgqptufg	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/qmdgzglfzw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/fqimirdumn	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/mpetjlbbrw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/ikjjfxjdrw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/laeuklbisl	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/reasemoxfd	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/dembkqdnnd	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/xlkatqzakt	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/uwjxivocaf	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/hrdgxiqezw	Jump to dropped file
Source: /boot/lqzpnnvgqq (PID: 5226)	File written: /boot/bsnzgwmdyz	Jump to dropped file

Source: /boot/lqzpnnvgqq (PID: 5226)

Shell script file created: /etc/cron.hourly/cron.sh

Jump to dropped file

Source: /boot/lqzpnnvgqq (PID: 5226)	Reads from proc file: /proc/stat	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	Reads from proc file: /proc/cpuinfo	Jump to behavior

Source: /sbin/update-rc.d (PID: 5235)

Systemctl executable: /bin/systemctl -> systemctl daemon-reload

Jump to behavior

Source: /boot/lqzpnnvgqq (PID: 5231)

Shell command executed: sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"

Jump to behavior

Source: /boot/lqzpnnvgqq (PID: 5226)

Writes shell script file to disk with an unusual file extension: /etc/init.d/lqzpnnvgqq

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Drops files in suspicious directories

Show sources

Source: /boot/lqzpnnvgqq (PID: 5226)

File: /etc/init.d/lqzpnnvgqq

Jump to dropped file

Sample deletes itself

Show sources

Source: /tmp/test (PID: 5223)	File: /tmp/test	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/cmltpcveev	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/ydvgqptufg	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/qmdgzglfzw	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/fqimirdumn	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/mpetjlbbrw	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/ikjjfxjdrw	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/laeuklbisl	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/reasemoxfd	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/dembkqdnnd	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/xlkatqzakt	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/uwjxivocaf	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/hrdgxiqezw	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/bsnzgwmdyz	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/pgpndyvjry	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/lvhmzhponu	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/rlgxokxghy	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/tsaycfvlxl	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/crjtcddcvs	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/vypsjwtnwx	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/wkgsskqrhz	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/breklnwkhg	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/wsgrxxhjuz	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	File: /boot/myeasimsce	Jump to behavior
Source: /boot/cmltpcveev (PID: 5254)	File: /boot/cmltpcveev	Jump to behavior
Source: /boot/ydvgqptufg (PID: 5261)	File: /boot/ydvgqptufg	Jump to behavior
Source: /boot/qmdgzglfzw (PID: 5266)	File: /boot/qmdgzglfzw	Jump to behavior
Source: /boot/fqimirdumn (PID: 5272)	File: /boot/fqimirdumn	Jump to behavior
Source: /boot/mpetjlbbrw (PID: 5277)	File: /boot/mpetjlbbrw	Jump to behavior
Source: /boot/ikjjfxjdrw (PID: 5282)	File: /boot/ikjjfxjdrw	Jump to behavior
Source: /boot/laeuklbisl (PID: 5287)	File: /boot/laeuklbisl	Jump to behavior
Source: /boot/reasemoxfd (PID: 5292)	File: /boot/reasemoxfd	Jump to behavior
Source: /boot/dembkqdnnd (PID: 5298)	File: /boot/dembkqdnnd	Jump to behavior
Source: /boot/xlkatqzakt (PID: 5307)	File: /boot/xlkatqzakt	Jump to behavior
Source: /boot/uwjxivocaf (PID: 5312)	File: /boot/uwjxivocaf	Jump to behavior
Source: /boot/hrdgxiqezw (PID: 5317)	File: /boot/hrdgxiqezw	Jump to behavior
Source: /boot/bsnzgwmdyz (PID: 5322)	File: /boot/bsnzgwmdyz	Jump to behavior
Source: /boot/pgpndyvjry (PID: 5327)	File: /boot/pgpndyvjry	Jump to behavior
Source: /boot/lvhmzhponu (PID: 5333)	File: /boot/lvhmzhponu	Jump to behavior
Source: /boot/rlgxokxghy (PID: 5338)	File: /boot/rlgxokxghy	Jump to behavior
Source: /boot/tsaycfvlxl (PID: 5343)	File: /boot/tsaycfvlxl	Jump to behavior
Source: /boot/crjtcddcvs (PID: 5349)	File: /boot/crjtcddcvs	Jump to behavior
Source: /boot/vypsjwtnwx (PID: 5354)	File: /boot/vypsjwtnwx	Jump to behavior
Source: /boot/wkgsskqrhz (PID: 5359)	File: /boot/wkgsskqrhz	Jump to behavior
Source: /boot/breklnwkhg (PID: 5367)	File: /boot/breklnwkhg	Jump to behavior
Source: /boot/wsgrxxhjuz (PID: 5372)	File: /boot/wsgrxxhjuz	Jump to behavior

Source: /tmp/test (PID: 5222)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5225)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/lqzpnnvgqq (PID: 5226)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/cmltpcveev (PID: 5253)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/ydvgqptufg (PID: 5260)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/qmdgzglfzw (PID: 5265)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/fqimirdumn (PID: 5271)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/mpetjlbbrw (PID: 5276)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/ikjjfxjdrw (PID: 5281)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/laeuklbisl (PID: 5286)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/reasemoxfd (PID: 5291)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/dembkqdnnd (PID: 5297)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/xlkatqzakt (PID: 5306)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/uwjxivocaf (PID: 5311)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/hrdgxiqezw (PID: 5316)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/bsnzgwmdyz (PID: 5321)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/pgpndyvjry (PID: 5326)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/lvhmzhponu (PID: 5332)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/rlgxokxghy (PID: 5337)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/tsaycfvlxl (PID: 5342)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/crjtcddcvs (PID: 5348)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/vypsjwtnwx (PID: 5353)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/wkgsskqrhz (PID: 5358)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/breklnwkhg (PID: 5366)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/wsgrxxhjuz (PID: 5371)	Queries kernel information via 'uname':	Jump to behavior
Source: /boot/myeasimsce (PID: 5376)	Queries kernel information via 'uname':	Jump to behavior

Source: /boot/lqzpnnvgqq (PID: 5226)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Remote Access Functionality:

Yara detected XorDDoS Bot

Show sources

Source: Yara match	File source: test, type: SAMPLE
Source: Yara match	File source: 5223.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5252.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5357.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5228.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5370.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5291.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5342.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5222.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5287.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5227.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5296.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5224.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5264.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5333.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5270.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.00000000c965a2ea.000000003ec9bb06.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5275.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5333.1.0000000096d19dfa.00000000dfb96f82.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5225.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5290.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5277.1.00000000c2e9e40a.00000000c08dd338.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5298.1.000000004569d7d3.00000000bf141fbb.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5285.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5261.1.000000009d03549e.000000002f4af846.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5341.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5254.1.00000000432d7b8b.0000000014b575d5.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5287.1.000000001edec9d1.00000000b047c44a.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5281.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5271.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5315.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5317.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5306.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5376.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5338.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5317.1.0000000072be379b.00000000d301ab53.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5326.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5343.1.000000003d3d9107.000000007cf3594d.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5338.1.000000006da67978.000000007b42d8dc.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5266.1.000000005bbe83f8.0000000038d9bc4a.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5375.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5280.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5352.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5305.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5349.1.00000000a7c9cb17.000000004d5dc2f2.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5347.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5282.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5312.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5310.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5371.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5367.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5327.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5325.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5322.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5260.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5320.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5349.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5354.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5331.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5367.1.00000000ecd66f4d.000000000a561b6e.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5353.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5336.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5321.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5312.1.000000007d2f9f03.00000000f6c50af9.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5265.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5343.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5298.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5311.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5348.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5372.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5316.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5366.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5322.1.00000000867d8b2e.00000000432d7b8b.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5286.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5292.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5254.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5229.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5372.1.000000005e3cca46.00000000af07bbf9.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5266.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5292.1.00000000f6284656.00000000d8f8f07d.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5365.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5276.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5253.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5358.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5359.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5272.1.000000005be63ee0.00000000dd24ca1e.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5261.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5297.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5259.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5272.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5307.1.000000004bd9dab3.00000000b446d71d.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5337.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5282.1.00000000e9c9304b.00000000cd5a9209.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5354.1.000000005e3cca46.00000000af07bbf9.rw-.sdmp, type: MEMORY
Source: Yara match	File source: 5332.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5307.1.000000001a887bdc.00000000bcdea012.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 5359.1.000000003eaeccda.00000000546d7a6a.rw-.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: test PID: 5222, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: test PID: 5223, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: test PID: 5224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: test PID: 5225, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5225, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5227, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5228, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5229, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5253, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmltpcveev PID: 5253, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmltpcveev PID: 5254, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5259, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ydvgqptufg PID: 5260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ydvgqptufg PID: 5261, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5265, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qmdgzglfzw PID: 5265, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qmdgzglfzw PID: 5266, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5270, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5271, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fqimirdumn PID: 5271, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fqimirdumn PID: 5272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5275, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpetjlbbrw PID: 5276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mpetjlbbrw PID: 5277, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5281, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ikjjfxjdrw PID: 5281, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ikjjfxjdrw PID: 5282, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5285, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5286, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: laeuklbisl PID: 5286, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: laeuklbisl PID: 5287, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5290, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5291, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reasemoxfd PID: 5291, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: reasemoxfd PID: 5292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5297, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dembkqdnnd PID: 5297, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dembkqdnnd PID: 5298, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5305, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5306, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xlkatqzakt PID: 5306, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xlkatqzakt PID: 5307, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5310, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5311, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uwjxivocaf PID: 5311, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: uwjxivocaf PID: 5312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5315, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrdgxiqezw PID: 5316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: hrdgxiqezw PID: 5317, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5321, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bsnzgwmdyz PID: 5321, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bsnzgwmdyz PID: 5322, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5325, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5326, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pgpndyvjry PID: 5326, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pgpndyvjry PID: 5327, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5331, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvhmzhponu PID: 5332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lvhmzhponu PID: 5333, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lqzpnnvgqq PID: 5337, type: MEMORYSTR
Source: Yara match	File source: /boot/ikjjfxjdrw, type: DROPPED
Source: Yara match	File source: /boot/cmltpcveev, type: DROPPED
Source: Yara match	File source: /boot/qmdgzglfzw, type: DROPPED
Source: Yara match	File source: /boot/laeuklbisl, type: DROPPED
Source: Yara match	File source: /boot/fqimirdumn, type: DROPPED
Source: Yara match	File source: /boot/dembkqdnnd, type: DROPPED
Source: Yara match	File source: /boot/reasemoxfd, type: DROPPED
Source: Yara match	File source: /boot/hrdgxiqezw, type: DROPPED
Source: Yara match	File source: /boot/ydvgqptufg, type: DROPPED
Source: Yara match	File source: /boot/lqzpnnvgqq, type: DROPPED
Source: Yara match	File source: /boot/xlkatqzakt, type: DROPPED
Source: Yara match	File source: /boot/uwjxivocaf, type: DROPPED
Source: Yara match	File source: /boot/mpetjlbbrw, type: DROPPED
Source: Yara match	File source: /usr/lib/udev/udev, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	Systemd Service1	Systemd Service1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	At (Linux)2	At (Linux)2	At (Linux)2	Scripting2	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	File Deletion1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
test	62%	Virustotal		Browse
test	63%	Metadefender		Browse
test	74%	ReversingLabs	Linux.Network.XorDDoS
test	100%	Avira	LINUX/Xorddos.cona
test	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/boot/mpetjlbbrw	100%	Avira	LINUX/Xorddos.cona
/boot/dembkqdnnd	100%	Avira	LINUX/Xorddos.cona
/usr/lib/udev/udev	100%	Avira	LINUX/Xorddos.cona
/boot/hrdgxiqezw	100%	Avira	LINUX/Xorddos.cona
/boot/reasemoxfd	100%	Avira	LINUX/Xorddos.cona
/boot/ikjjfxjdrw	100%	Avira	LINUX/Xorddos.cona
/boot/qmdgzglfzw	100%	Avira	LINUX/Xorddos.cona
/boot/ydvgqptufg	100%	Avira	LINUX/Xorddos.cona
/boot/fqimirdumn	100%	Avira	LINUX/Xorddos.cona
/boot/laeuklbisl	100%	Avira	LINUX/Xorddos.cona
/boot/xlkatqzakt	100%	Avira	LINUX/Xorddos.cona
/boot/cmltpcveev	100%	Avira	LINUX/Xorddos.cona
/boot/lqzpnnvgqq	100%	Avira	LINUX/Xorddos.cona
/boot/uwjxivocaf	100%	Avira	LINUX/Xorddos.cona
/boot/mpetjlbbrw	100%	Joe Sandbox ML
/boot/dembkqdnnd	100%	Joe Sandbox ML
/usr/lib/udev/udev	100%	Joe Sandbox ML
/boot/hrdgxiqezw	100%	Joe Sandbox ML
/boot/reasemoxfd	100%	Joe Sandbox ML
/boot/ikjjfxjdrw	100%	Joe Sandbox ML
/boot/qmdgzglfzw	100%	Joe Sandbox ML
/boot/ydvgqptufg	100%	Joe Sandbox ML
/boot/fqimirdumn	100%	Joe Sandbox ML
/boot/laeuklbisl	100%	Joe Sandbox ML
/boot/xlkatqzakt	100%	Joe Sandbox ML
/boot/cmltpcveev	100%	Joe Sandbox ML
/boot/lqzpnnvgqq	100%	Joe Sandbox ML
/boot/uwjxivocaf	100%	Joe Sandbox ML
/boot/bsnzgwmdyz	100%	Joe Sandbox ML
/boot/cmltpcveev	63%	Metadefender		Browse
/boot/cmltpcveev	74%	ReversingLabs	Linux.Network.XorDDoS
/boot/dembkqdnnd	63%	Metadefender		Browse
/boot/dembkqdnnd	74%	ReversingLabs	Linux.Network.XorDDoS
/boot/fqimirdumn	63%	Metadefender		Browse
/boot/fqimirdumn	74%	ReversingLabs	Linux.Network.XorDDoS
/boot/hrdgxiqezw	63%	Metadefender		Browse
/boot/hrdgxiqezw	74%	ReversingLabs	Linux.Network.XorDDoS
/boot/ikjjfxjdrw	63%	Metadefender		Browse
/boot/ikjjfxjdrw	74%	ReversingLabs	Linux.Network.XorDDoS
/boot/laeuklbisl	63%	Metadefender		Browse
/boot/laeuklbisl	74%	ReversingLabs	Linux.Network.XorDDoS
/boot/lqzpnnvgqq	63%	Metadefender		Browse
/boot/lqzpnnvgqq	74%	ReversingLabs	Linux.Network.XorDDoS

Domains

Source	Detection	Scanner	Label	Link
aa369369.f3322.org	3%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Acrjtc	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar	12%	Virustotal		Browse
http://info.3000uc.com/config.rar	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/A/boot	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Adembk	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Axlkat	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/A/tmp/	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alvhmz	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Ahrdgx	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Avypsj	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alqzpn	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Arlgxo	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Auwjxi	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aqmdgz	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Awkgss	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Amyeas	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Acmltp	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Atsayc	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Apgpnd	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Afqimi	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alaeuk	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aikjjf	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Arease	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Awsgrx	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Absnzg	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Abrekl	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aydvgq	100%	Avira URL Cloud	malware
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Ampetj	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
aa369369.f3322.org	96.43.105.68	true	true	3%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Acrjtc	lqzpnnvgqq, 5347.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar	test, 5222.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5223.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5224.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5227.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5228.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5229.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5252.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5254.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, lqzpnnvgqq, 5259.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5261.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, lqzpnnvgqq, 5264.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5266.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, lqzpnnvgqq, 5270.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5272.1.000000004fef9a08.000000005ff51599.rw-.sdmp, lqzpnnvgqq, 5275.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5277.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, lqzpnnvgqq, 5280.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5282.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, lqzpnnvgqq, 5285.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5287.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, lqzpnnvgqq, 5290.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5292.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, lqzpnnvgqq, 5296.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5298.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, lqzpnnvgqq, 5305.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5307.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, lqzpnnvgqq, 5310.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5312.1.00000000acac5c18.000000002cce9625.rw-.sdmp, lqzpnnvgqq, 5315.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5317.1.000000001f32e955.000000008f40b429.rw-.sdmp, lqzpnnvgqq, 5320.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5322.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, lqzpnnvgqq, 5325.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5327.1.00000000333482a1.000000001173ccba.rw-.sdmp, lqzpnnvgqq, 5331.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5333.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lqzpnnvgqq, 5336.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5338.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, lqzpnnvgqq, 5341.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5343.1.00000000664d0328.0000000033783bde.rw-.sdmp, lqzpnnvgqq, 5347.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5349.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, lqzpnnvgqq, 5352.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5354.1.000000004ea8496c.000000003be361ea.rw-.sdmp, lqzpnnvgqq, 5357.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5359.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, lqzpnnvgqq, 5365.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5367.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, lqzpnnvgqq, 5370.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5372.1.000000006c288c8a.00000000989d045e.rw-.sdmp, lqzpnnvgqq, 5375.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp, myeasimsce, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/A/boot	test, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5225.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5227.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5228.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5229.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp, lqzpnnvgqq, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5253.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, cmltpcveev, 5254.1.00000000096a02ca.00000000b636fb63.rw-.sdmp, lqzpnnvgqq, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5260.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, ydvgqptufg, 5261.1.000000006b01fb7d.00000000a844d909.rw-.sdmp, lqzpnnvgqq, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5265.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, qmdgzglfzw, 5266.1.000000009df9b02c.00000000e8abe4c6.rw-.sdmp, lqzpnnvgqq, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5271.1.000000004fef9a08.000000005ff51599.rw-.sdmp, fqimirdumn, 5272.1.000000004fef9a08.000000005ff51599.rw-.sdmp, lqzpnnvgqq, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5276.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, mpetjlbbrw, 5277.1.00000000c07d9106.0000000050cc2065.rw-.sdmp, lqzpnnvgqq, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5281.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, ikjjfxjdrw, 5282.1.00000000d4a7686e.00000000f3db70ee.rw-.sdmp, lqzpnnvgqq, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5286.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, laeuklbisl, 5287.1.00000000958fdf0c.000000004f5eb547.rw-.sdmp, lqzpnnvgqq, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5291.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, reasemoxfd, 5292.1.00000000428804cf.000000008fd8fd7d.rw-.sdmp, lqzpnnvgqq, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5297.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, dembkqdnnd, 5298.1.00000000da8faa99.000000005bdb9d60.rw-.sdmp, lqzpnnvgqq, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5306.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, xlkatqzakt, 5307.1.0000000093a0fe7d.0000000047bee4bd.rw-.sdmp, lqzpnnvgqq, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5311.1.00000000acac5c18.000000002cce9625.rw-.sdmp, uwjxivocaf, 5312.1.00000000acac5c18.000000002cce9625.rw-.sdmp, lqzpnnvgqq, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5316.1.000000001f32e955.000000008f40b429.rw-.sdmp, hrdgxiqezw, 5317.1.000000001f32e955.000000008f40b429.rw-.sdmp, lqzpnnvgqq, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5321.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, bsnzgwmdyz, 5322.1.00000000b7eba36e.000000000ac9cc08.rw-.sdmp, lqzpnnvgqq, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5326.1.00000000333482a1.000000001173ccba.rw-.sdmp, pgpndyvjry, 5327.1.00000000333482a1.000000001173ccba.rw-.sdmp, lqzpnnvgqq, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5332.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lvhmzhponu, 5333.1.000000004399fb2b.00000000cda7c00c.rw-.sdmp, lqzpnnvgqq, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5337.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, rlgxokxghy, 5338.1.0000000074b549d7.0000000097c539fc.rw-.sdmp, lqzpnnvgqq, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5342.1.00000000664d0328.0000000033783bde.rw-.sdmp, tsaycfvlxl, 5343.1.00000000664d0328.0000000033783bde.rw-.sdmp, lqzpnnvgqq, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5348.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, crjtcddcvs, 5349.1.0000000079b7fc3d.000000002ec7e2a5.rw-.sdmp, lqzpnnvgqq, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5353.1.000000004ea8496c.000000003be361ea.rw-.sdmp, vypsjwtnwx, 5354.1.000000004ea8496c.000000003be361ea.rw-.sdmp, lqzpnnvgqq, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5358.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, wkgsskqrhz, 5359.1.000000003e89373b.00000000ec21ebef.rw-.sdmp, lqzpnnvgqq, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5366.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, breklnwkhg, 5367.1.000000004813c3a7.000000002b2e6979.rw-.sdmp, lqzpnnvgqq, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5371.1.000000006c288c8a.00000000989d045e.rw-.sdmp, wsgrxxhjuz, 5372.1.000000006c288c8a.00000000989d045e.rw-.sdmp, lqzpnnvgqq, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp, myeasimsce, 5376.1.00000000219dd720.0000000083a66eed.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Adembk	lqzpnnvgqq, 5296.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Axlkat	lqzpnnvgqq, 5305.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/A/tmp/	test, 5222.1.000000003b6085a0.00000000721a0005.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alvhmz	lqzpnnvgqq, 5331.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Ahrdgx	lqzpnnvgqq, 5315.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Avypsj	lqzpnnvgqq, 5352.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alqzpn	test, 5223.1.000000003b6085a0.00000000721a0005.rw-.sdmp, test, 5224.1.000000003b6085a0.00000000721a0005.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Arlgxo	lqzpnnvgqq, 5336.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Auwjxi	lqzpnnvgqq, 5310.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aqmdgz	lqzpnnvgqq, 5264.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Awkgss	lqzpnnvgqq, 5357.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Amyeas	lqzpnnvgqq, 5375.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Acmltp	lqzpnnvgqq, 5252.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Atsayc	lqzpnnvgqq, 5341.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Apgpnd	lqzpnnvgqq, 5325.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Afqimi	lqzpnnvgqq, 5270.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Alaeuk	lqzpnnvgqq, 5285.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aikjjf	lqzpnnvgqq, 5280.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://www.gnu.org/software/libc/bugs.html	test, mpetjlbbrw.15.dr, dembkqdnnd.15.dr, udev.11.dr, hrdgxiqezw.15.dr, reasemoxfd.15.dr, ikjjfxjdrw.15.dr, qmdgzglfzw.15.dr, ydvgqptufg.15.dr, fqimirdumn.15.dr, laeuklbisl.15.dr, xlkatqzakt.15.dr, cmltpcveev.15.dr, lqzpnnvgqq.11.dr, uwjxivocaf.15.dr	false		high
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Arease	lqzpnnvgqq, 5290.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Awsgrx	lqzpnnvgqq, 5370.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Absnzg	lqzpnnvgqq, 5320.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Abrekl	lqzpnnvgqq, 5365.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Aydvgq	lqzpnnvgqq, 5259.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown
http://info.3000uc.com/config.rar2/lib/udev/5/lib/udev/udev0/var/run/sftp.pid2/var/run/9/boot/Ampetj	lqzpnnvgqq, 5275.1.0000000022732bfe.00000000d7a7cf3e.rw-.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
96.43.105.68	aa369369.f3322.org	United States	64050	BCPL-SGBGPNETGlobalASNSG	true
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Runtime Messages

Command:	/tmp/test
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
109.202.202.202	MGQDe0tJrx	Get hash	malicious	Browse
	UpavrrqO1z	Get hash	malicious	Browse
	FIFoLIpQmv	Get hash	malicious	Browse
	ZfHG3ocggl	Get hash	malicious	Browse
	atowDMaFp5	Get hash	malicious	Browse
	dklbUe1T4F	Get hash	malicious	Browse
	yBSgY7AkVQ	Get hash	malicious	Browse
	9OWCSPhc9b	Get hash	malicious	Browse
	q30BxjOWjU	Get hash	malicious	Browse
	hCEbZJmo1J	Get hash	malicious	Browse
	IkprvCKO7R	Get hash	malicious	Browse
	test	Get hash	malicious	Browse
	jjo	Get hash	malicious	Browse
	VRHl9Qq7KZ	Get hash	malicious	Browse
	9pWjsWV410	Get hash	malicious	Browse
	msHjPlUuCP	Get hash	malicious	Browse
	kh6nkrtW1a	Get hash	malicious	Browse
	yntunzpBrs	Get hash	malicious	Browse
	PoaszyyAKQ	Get hash	malicious	Browse
	JSIJ8EDvD7	Get hash	malicious	Browse
91.189.91.43	MGQDe0tJrx	Get hash	malicious	Browse
	UpavrrqO1z	Get hash	malicious	Browse
	FIFoLIpQmv	Get hash	malicious	Browse
	ZfHG3ocggl	Get hash	malicious	Browse
	atowDMaFp5	Get hash	malicious	Browse
	dklbUe1T4F	Get hash	malicious	Browse
	yBSgY7AkVQ	Get hash	malicious	Browse
	9OWCSPhc9b	Get hash	malicious	Browse
	q30BxjOWjU	Get hash	malicious	Browse
	hCEbZJmo1J	Get hash	malicious	Browse
	IkprvCKO7R	Get hash	malicious	Browse
	test	Get hash	malicious	Browse
	jjo	Get hash	malicious	Browse
	VRHl9Qq7KZ	Get hash	malicious	Browse
	9pWjsWV410	Get hash	malicious	Browse
	msHjPlUuCP	Get hash	malicious	Browse
	kh6nkrtW1a	Get hash	malicious	Browse
	yntunzpBrs	Get hash	malicious	Browse
	PoaszyyAKQ	Get hash	malicious	Browse
	JSIJ8EDvD7	Get hash	malicious	Browse
91.189.91.42	MGQDe0tJrx	Get hash	malicious	Browse
	UpavrrqO1z	Get hash	malicious	Browse
	FIFoLIpQmv	Get hash	malicious	Browse
	ZfHG3ocggl	Get hash	malicious	Browse
	atowDMaFp5	Get hash	malicious	Browse
	dklbUe1T4F	Get hash	malicious	Browse
	yBSgY7AkVQ	Get hash	malicious	Browse
	9OWCSPhc9b	Get hash	malicious	Browse
	q30BxjOWjU	Get hash	malicious	Browse
	hCEbZJmo1J	Get hash	malicious	Browse
	IkprvCKO7R	Get hash	malicious	Browse
	test	Get hash	malicious	Browse
	jjo	Get hash	malicious	Browse
	VRHl9Qq7KZ	Get hash	malicious	Browse
	9pWjsWV410	Get hash	malicious	Browse
	msHjPlUuCP	Get hash	malicious	Browse
	kh6nkrtW1a	Get hash	malicious	Browse
	yntunzpBrs	Get hash	malicious	Browse
	PoaszyyAKQ	Get hash	malicious	Browse
	JSIJ8EDvD7	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
aa369369.f3322.org	7758	Get hash	malicious	Browse	154.38.107.204

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CANONICAL-ASGB	MGQDe0tJrx	Get hash	malicious	Browse	91.189.91.42
	UpavrrqO1z	Get hash	malicious	Browse	91.189.91.42
	FIFoLIpQmv	Get hash	malicious	Browse	91.189.91.42
	ZfHG3ocggl	Get hash	malicious	Browse	91.189.91.42
	atowDMaFp5	Get hash	malicious	Browse	91.189.91.42
	dklbUe1T4F	Get hash	malicious	Browse	91.189.91.42
	yBSgY7AkVQ	Get hash	malicious	Browse	91.189.91.42
	9OWCSPhc9b	Get hash	malicious	Browse	91.189.91.42
	q30BxjOWjU	Get hash	malicious	Browse	91.189.91.42
	hCEbZJmo1J	Get hash	malicious	Browse	91.189.91.42
	IkprvCKO7R	Get hash	malicious	Browse	91.189.91.42
	test	Get hash	malicious	Browse	91.189.91.42
	jjo	Get hash	malicious	Browse	91.189.91.42
	VRHl9Qq7KZ	Get hash	malicious	Browse	91.189.91.42
	9pWjsWV410	Get hash	malicious	Browse	91.189.91.42
	msHjPlUuCP	Get hash	malicious	Browse	91.189.91.42
	kh6nkrtW1a	Get hash	malicious	Browse	91.189.91.42
	yntunzpBrs	Get hash	malicious	Browse	91.189.91.42
	PoaszyyAKQ	Get hash	malicious	Browse	91.189.91.42
	JSIJ8EDvD7	Get hash	malicious	Browse	91.189.91.42
INIT7CH	MGQDe0tJrx	Get hash	malicious	Browse	109.202.202.202
	UpavrrqO1z	Get hash	malicious	Browse	109.202.202.202
	FIFoLIpQmv	Get hash	malicious	Browse	109.202.202.202
	ZfHG3ocggl	Get hash	malicious	Browse	109.202.202.202
	atowDMaFp5	Get hash	malicious	Browse	109.202.202.202
	dklbUe1T4F	Get hash	malicious	Browse	109.202.202.202
	yBSgY7AkVQ	Get hash	malicious	Browse	109.202.202.202
	9OWCSPhc9b	Get hash	malicious	Browse	109.202.202.202
	q30BxjOWjU	Get hash	malicious	Browse	109.202.202.202
	hCEbZJmo1J	Get hash	malicious	Browse	109.202.202.202
	IkprvCKO7R	Get hash	malicious	Browse	109.202.202.202
	test	Get hash	malicious	Browse	109.202.202.202
	jjo	Get hash	malicious	Browse	109.202.202.202
	VRHl9Qq7KZ	Get hash	malicious	Browse	109.202.202.202
	9pWjsWV410	Get hash	malicious	Browse	109.202.202.202
	msHjPlUuCP	Get hash	malicious	Browse	109.202.202.202
	kh6nkrtW1a	Get hash	malicious	Browse	109.202.202.202
	yntunzpBrs	Get hash	malicious	Browse	109.202.202.202
	PoaszyyAKQ	Get hash	malicious	Browse	109.202.202.202
	JSIJ8EDvD7	Get hash	malicious	Browse	109.202.202.202
BCPL-SGBGPNETGlobalASNSG	uFwfpXuEtW	Get hash	malicious	Browse	137.220.223.31
	DB_aa8484640hdgd_Maersk_Cancellation_Notice.vbs	Get hash	malicious	Browse	118.107.6.42
	xd.arm7	Get hash	malicious	Browse	192.253.229.109
	01oHMcUgUM	Get hash	malicious	Browse	1.32.222.215
	QUOTATION REQUEST DTD311221 - Mopcoms TurkeyPDF.xlsx	Get hash	malicious	Browse	134.122.133.172
	Request for Quotation.exe	Get hash	malicious	Browse	1.32.255.137
	cIc4vLO33F	Get hash	malicious	Browse	118.107.53.142
	at04fICL3u.exe	Get hash	malicious	Browse	118.107.59.194
	IvOwj062Ho.exe	Get hash	malicious	Browse	1.32.255.137
	Fourloko.arm7-20211230-1450	Get hash	malicious	Browse	103.200.200.49
	8JNnOIzwor	Get hash	malicious	Browse	14.128.45.167
	xUPL88qO1ioEmeE.exe	Get hash	malicious	Browse	134.122.133.133
	TPi2EJIK5G	Get hash	malicious	Browse	137.220.223.60
	n4QTkJbKIT	Get hash	malicious	Browse	1.32.222.244
	justifika Payment details.exe	Get hash	malicious	Browse	202.95.22.71
	KwX79Yspg5	Get hash	malicious	Browse	137.220.194.123
	vAoZIHEX0n	Get hash	malicious	Browse	137.220.194.123
	Urgent Price request_pdf.exe	Get hash	malicious	Browse	1.32.254.46
	WH6h9En3wj.exe	Get hash	malicious	Browse	202.79.175.12
	nnG7uLPav9	Get hash	malicious	Browse	137.220.194.123

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

/boot/bsnzgwmdyz Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, missing section headers
Category:	dropped
Size (bytes):	217088
Entropy (8bit):	6.302156600943454
Encrypted:	false
SSDEEP:	3072:RB3tlfhOBpVniGwCIlBdIdcwJawys/J0nFxgXyU8ZmxfVHDTL+xotY/4i8v9RGmU:RB3BO1ETdmJJ0nHgBL1TjYgsJX
MD5:	9FA82B10E63D7375763D9E6FC5B53DFD
SHA1:	DAFFC3BB14A254565B2A1409010569BEE7935E1E
SHA-256:	3E476EFEEE073718A45ADD8AF4F4F4AF5390B857BB5106B6C42FF212BDCC967B
SHA-512:	B90161394A58BA43450548069FEC8F41972C852661C0768A052D7F0997A4F87227ED3883FE51D852435933B5E6D8A1BC860EAA289A94F76A680CE7D5EED1509A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/cmltpcveev Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/cmltpcveev, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/dembkqdnnd Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/dembkqdnnd, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/fqimirdumn Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/fqimirdumn, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/hrdgxiqezw Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/hrdgxiqezw, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/ikjjfxjdrw Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/ikjjfxjdrw, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/laeuklbisl Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/laeuklbisl, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/lqzpnnvgqq Download File
Process:	/tmp/test
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/lqzpnnvgqq, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 63%, Browse Antivirus: ReversingLabs, Detection: 74%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/mpetjlbbrw Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/mpetjlbbrw, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/qmdgzglfzw Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/qmdgzglfzw, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/reasemoxfd Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/reasemoxfd, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/uwjxivocaf Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/uwjxivocaf, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/xlkatqzakt Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/xlkatqzakt, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/boot/ydvgqptufg Download File
Process:	/boot/lqzpnnvgqq
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /boot/ydvgqptufg, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

/etc/cron.hourly/cron.sh Download File
Process:	/boot/lqzpnnvgqq
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	223
Entropy (8bit):	4.756432444291805
Encrypted:	false
SSDEEP:	6:htiy4Mrm9lVNy28XbCVP270gJdUiynrgns:RjwVNfGbWPirSR
MD5:	B791B087B1795E3674A9AA765C76FC04
SHA1:	B53F478234AE97F3CDBF2E7FE7EC68D687FEB7C1
SHA-256:	1C1E9B69CF8021BF7CE1F60DCAA2D31C1E21ED4B6E474F3571DA81FFD5A9B69E
SHA-512:	2DCC2E478C51CF8118306FD5C744AAD7147E368CBC4329DB1CC5FAC52088A7F3354079AE2B582B270495789E4FB4591538EC88BB5EA40EEC646F360BAC33BBB2
Malicious:	true
Preview:	#!/bin/sh.PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin.for i in `cat /proc/net/dev\|grep :\|awk -F: {'print $1'}`; do ifconfig $i up& done.cp /lib/udev/udev /lib/udev/debug./lib/udev/debug.

/etc/crontab Download File
Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	42
Entropy (8bit):	3.785556864317712
Encrypted:	false
SSDEEP:	3:FFP13tKebPv4KAzn:/P1IebPPUn
MD5:	FD3A6FF13ED8B8D3F00B7C6F8455837B
SHA1:	05F27751D058D9E1D3206A495D53EA1ADADC40B5
SHA-256:	AFDE2F225835B8C113FF86451552DC495CAF1527513849E2B2A0292097A78F5B
SHA-512:	FF7F2B69BE867825E121A6243837857EFED82AB73DA83FD81F0A15406F9EE5BD4C025D3567B91473E071D943ABE4BCB3B30D1218563AAA301A31092DE6CF438C
Malicious:	true
Preview:	/3 * * * root /etc/cron.hourly/cron.sh.

/etc/init.d/lqzpnnvgqq Download File
Process:	/boot/lqzpnnvgqq
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	317
Entropy (8bit):	5.211384091815436
Encrypted:	false
SSDEEP:	6:hUtoFdU96sKheJ3BE21YJvmNeMwhN1DzHRRDs6MzxRDo4:6t3BEMO1PzHRRDszxRDL
MD5:	0143E49F4200F27EA312BC7B26BC566F
SHA1:	60FBABDB9849B0CDE869A3EB0E00F7028B5EFB5F
SHA-256:	EA87F658C20CA77BD493E01D3E128C0BE16830C34EEC3CC531CB9390A0759102
SHA-512:	313D133D7F1B1CA12E0424FB6561E95766D202901AA50F48D0C19CA730D9BCEC4560F2A01F2B81DDC192B5ED8E2DF8424B442CEAB940E3DE5FB785468E522B96
Malicious:	true
Preview:	#!/bin/sh.# chkconfig: 12345 90 90.# description: lqzpnnvgqq.### BEGIN INIT INFO.# Provides:..lqzpnnvgqq.# Required-Start:..# Required-Stop:..# Default-Start:.1 2 3 4 5.# Default-Stop:...# Short-Description:.lqzpnnvgqq.### END INIT INFO.case $1 in.start)../boot/lqzpnnvgqq..;;.stop)..;;.*)../boot/lqzpnnvgqq..;;.esac.

/memfd:snapd-env-generator (deleted) Download File
Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/run/sftp.pid Download File
Process:	/boot/lqzpnnvgqq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.202819531114783
Encrypted:	false
SSDEEP:	3:FTyXSBHcW4Bn:FyXSx4Bn
MD5:	DACF576E457AA25C6BF42F134F8DCFC6
SHA1:	450149BBCA89C9E8222A62DCA9828221B21CA97F
SHA-256:	2E99A5A71C64666FEEF4ED5C657B5BE088AF8A42120644BC782FB96194863DD5
SHA-512:	7B8CCC52659AE5921E0276F41CEA372724D99421859571571F236BAAF9654BBDC3823473BD87C5E802E36ED6FE65183A04E08A10985EF2C6F33A6EEFDD6ED6D5
Malicious:	false
Preview:	uuqojokuzcdppnrsabvrmwadslwllbxh

/usr/lib/udev/udev Download File
Process:	/tmp/test
File Type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Category:	dropped
Size (bytes):	662840
Entropy (8bit):	6.255485923668946
Encrypted:	false
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
MD5:	D20E3E491D242D649C3FCF4879F2CBF2
SHA1:	681406D197C6DE50BC611BB466C012F0CD9B4AA6
SHA-256:	F4A25E8D960C631699E1B9ADAB8D29E5E4A2AE0D3BE1C7739275A6A72B9B0876
SHA-512:	DE50E27B457D3EE8E9D41800C83FD5EB4A1F0B0D568F02A4ECD482A4390B435410C15A262C123162E7E7F877219FF8FE13CE763ECECE80F96872CD050895141C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XorDDoS, Description: Yara detected XorDDoS Bot, Source: /usr/lib/udev/udev, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R........................ ... ...............$;..$...$.......@...........Q.td........................................GNU.................U.....5.........Gr.........1.^....PTRh./..h.0..QVh...........U..S........[..DJ..........t..~..X[.......U..S....=.....uT.H...-@.......X......9.v...&...............@........9.w.......t...$.Z...S`............[]......U.p............Z..I....t .T$..D$......D$.......$.Z...eb...L.....t........t...$L.......U.....E..D$..E..D$..E...$....E..D$..E...$............U...(.E.....D$..E..D$...$1.........E..}..x..E....;E....E......?.E..E.....E..E..".E..E....</u..U.....E..........m...}..y.E..E.E...U...(.E.....D$..E..D$...$1....y....E..}..x..E....;E....E........E..E.....E..E.E...U...(...............D$..D$.......$.@....E..D$..D$.@....D$.............$.....E.....D$..E..D$.........$......E..}..x..E....;E...............E..E.....E...............U..W.....

Static File Info

General
File type:	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.9, with debug_info, not stripped
Entropy (8bit):	6.255485923668946
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	test
File size:	662840
MD5:	d20e3e491d242d649c3fcf4879f2cbf2
SHA1:	681406d197c6de50bc611bb466c012f0cd9b4aa6
SHA256:	f4a25e8d960c631699e1b9adab8d29e5e4a2ae0d3be1c7739275a6a72b9b0876
SHA512:	de50e27b457d3ee8e9d41800c83fd5eb4a1f0b0d568f02a4ecd482a4390b435410c15a262c123162e7e7f877219ff8fe13ce763ecece80f96872cd050895141c
SSDEEP:	12288:RBRO1UmJJ0nHgBL9YfJip2qm+x4h1Tonbp6y07l7mtBDvnD/u9hMHDB:RBRpmJ+HyL9AiAqm+x4h1mb6wvnDWXMN
File Content Preview:	.ELF........................4...........4. ...(.$.!.................";..";..............$;..$...$........R.......................... ... ...............$;..$...$.......@...........Q.td........................................GNU.................U......5...

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Intel 80386
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x8048110
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	5
Section Header Offset:	590776
Section Header Size:	40
Number of Section Headers:	36
Header String Table Index:	33

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.note.ABI-tag	NOTE	0x80480d4	0xd4	0x20	0x0	0x2	A	0	0	4
.init	PROGBITS	0x80480f4	0xf4	0x17	0x0	0x6	AX	0	0	4
.text	PROGBITS	0x8048110	0x110	0x67268	0x0	0x6	AX	0	0	16
__libc_freeres_fn	PROGBITS	0x80af380	0x67380	0x100f	0x0	0x6	AX	0	0	16
__libc_thread_freeres_fn	PROGBITS	0x80b0390	0x68390	0x1db	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x80b056c	0x6856c	0x1c	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x80b05a0	0x685a0	0x15500	0x0	0x2	A	0	0	32
__libc_subfreeres	PROGBITS	0x80c5aa0	0x7daa0	0x30	0x0	0x2	A	0	0	4
__libc_atexit	PROGBITS	0x80c5ad0	0x7dad0	0x4	0x0	0x2	A	0	0	4
__libc_thread_subfreeres	PROGBITS	0x80c5ad4	0x7dad4	0x8	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x80c5adc	0x7dadc	0x5f48	0x0	0x2	A	0	0	4
.gcc_except_table	PROGBITS	0x80cba24	0x83a24	0xfe	0x0	0x2	A	0	0	1
.tdata	PROGBITS	0x80ccb24	0x83b24	0x14	0x0	0x403	WAT	0	0	4
.tbss	NOBITS	0x80ccb38	0x83b38	0x2c	0x0	0x403	WAT	0	0	4
.ctors	PROGBITS	0x80ccb38	0x83b38	0x8	0x0	0x3	WA	0	0	4
.dtors	PROGBITS	0x80ccb40	0x83b40	0xc	0x0	0x3	WA	0	0	4
.jcr	PROGBITS	0x80ccb4c	0x83b4c	0x4	0x0	0x3	WA	0	0	4
.data.rel.ro	PROGBITS	0x80ccb50	0x83b50	0x2c	0x0	0x3	WA	0	0	4
.got	PROGBITS	0x80ccb7c	0x83b7c	0x8	0x4	0x3	WA	0	0	4
.got.plt	PROGBITS	0x80ccb84	0x83b84	0xc	0x4	0x3	WA	0	0	4
.data	PROGBITS	0x80ccba0	0x83ba0	0xb40	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x80cd6e0	0x846e0	0x46b8	0x0	0x3	WA	0	0	32
__libc_freeres_ptrs	NOBITS	0x80d1d98	0x846e0	0x14	0x0	0x3	WA	0	0	4
.comment	PROGBITS	0x0	0x846e0	0x422	0x0	0x0		0	0	1
.debug_aranges	PROGBITS	0x0	0x84b02	0x1e0	0x0	0x0		0	0	1
.debug_pubnames	PROGBITS	0x0	0x84ce2	0x7b7	0x0	0x0		0	0	1
.debug_info	PROGBITS	0x0	0x85499	0x6da6	0x0	0x0		0	0	1
.debug_abbrev	PROGBITS	0x0	0x8c23f	0x10d0	0x0	0x0		0	0	1
.debug_line	PROGBITS	0x0	0x8d30f	0x1325	0x0	0x0		0	0	1
.debug_frame	PROGBITS	0x0	0x8e634	0xa08	0x0	0x0		0	0	4
.debug_str	PROGBITS	0x0	0x8f03c	0x2b5	0x0	0x0		0	0	1
.debug_loc	PROGBITS	0x0	0x8f2f1	0xf37	0x0	0x0		0	0	1
.shstrtab	STRTAB	0x0	0x90228	0x18e	0x0	0x0		0	0	1
.symtab	SYMTAB	0x0	0x90958	0x9240	0x10	0x0		35	917	4
.strtab	STRTAB	0x0	0x99b98	0x81a0	0x0	0x0		0	0	1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8048000	0x8048000	0x83b22	0x83b22	3.3515	0x5	R E	0x1000	.note.ABI-tag .init .text __libc_freeres_fn __libc_thread_freeres_fn .fini .rodata __libc_subfreeres __libc_atexit __libc_thread_subfreeres .eh_frame .gcc_except_table
LOAD	0x83b24	0x80ccb24	0x80ccb24	0xbbc	0x5288	2.9065	0x6	RW	0x1000	.ctors .dtors .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs
NOTE	0xd4	0x80480d4	0x80480d4	0x20	0x20	1.7487	0x4	R	0x4	.note.ABI-tag
TLS	0x83b24	0x80ccb24	0x80ccb24	0x14	0x40	2.2771	0x4	R	0x4
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Symbols

Name	Section Name	Value	Size	Symbol Type	Symbol Bind	Symbol Visibility	Ndx
	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
	.symtab	0x80480d4	0	SECTION	<unknown>	DEFAULT	1
	.symtab	0x80480f4	0	SECTION	<unknown>	DEFAULT	2
	.symtab	0x8048110	0	SECTION	<unknown>	DEFAULT	3
	.symtab	0x80af380	0	SECTION	<unknown>	DEFAULT	4
	.symtab	0x80b0390	0	SECTION	<unknown>	DEFAULT	5
	.symtab	0x80b056c	0	SECTION	<unknown>	DEFAULT	6
	.symtab	0x80b05a0	0	SECTION	<unknown>	DEFAULT	7
	.symtab	0x80c5aa0	0	SECTION	<unknown>	DEFAULT	8
	.symtab	0x80c5ad0	0	SECTION	<unknown>	DEFAULT	9
	.symtab	0x80c5ad4	0	SECTION	<unknown>	DEFAULT	10
	.symtab	0x80c5adc	0	SECTION	<unknown>	DEFAULT	11
	.symtab	0x80cba24	0	SECTION	<unknown>	DEFAULT	12
	.symtab	0x80ccb24	0	SECTION	<unknown>	DEFAULT	13
	.symtab	0x80ccb38	0	SECTION	<unknown>	DEFAULT	14
	.symtab	0x80ccb38	0	SECTION	<unknown>	DEFAULT	15
	.symtab	0x80ccb40	0	SECTION	<unknown>	DEFAULT	16
	.symtab	0x80ccb4c	0	SECTION	<unknown>	DEFAULT	17
	.symtab	0x80ccb50	0	SECTION	<unknown>	DEFAULT	18
	.symtab	0x80ccb7c	0	SECTION	<unknown>	DEFAULT	19
	.symtab	0x80ccb84	0	SECTION	<unknown>	DEFAULT	20
	.symtab	0x80ccba0	0	SECTION	<unknown>	DEFAULT	21
	.symtab	0x80cd6e0	0	SECTION	<unknown>	DEFAULT	22
	.symtab	0x80d1d98	0	SECTION	<unknown>	DEFAULT	23
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	24
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	25
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	26
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	27
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	28
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	29
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	30
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	31
	.symtab	0x0	0	SECTION	<unknown>	DEFAULT	32
.L108	.symtab	0x80ab3e0	0	NOTYPE	<unknown>	DEFAULT	3
.L113	.symtab	0x80ab420	0	NOTYPE	<unknown>	DEFAULT	3
.L114	.symtab	0x80ab488	0	NOTYPE	<unknown>	DEFAULT	3
.L115	.symtab	0x80ab4c0	0	NOTYPE	<unknown>	DEFAULT	3
.L116	.symtab	0x80ab4de	0	NOTYPE	<unknown>	DEFAULT	3
.L117	.symtab	0x80ab4fc	0	NOTYPE	<unknown>	DEFAULT	3
.L118	.symtab	0x80ab519	0	NOTYPE	<unknown>	DEFAULT	3
.L119	.symtab	0x80ab54d	0	NOTYPE	<unknown>	DEFAULT	3
.L12	.symtab	0x80aed9b	0	NOTYPE	<unknown>	DEFAULT	3
.L120	.symtab	0x80ab56c	0	NOTYPE	<unknown>	DEFAULT	3
.L121	.symtab	0x80ab58b	0	NOTYPE	<unknown>	DEFAULT	3
.L122	.symtab	0x80ab373	0	NOTYPE	<unknown>	DEFAULT	3
.L123	.symtab	0x80ab5bb	0	NOTYPE	<unknown>	DEFAULT	3
.L124	.symtab	0x80ab80f	0	NOTYPE	<unknown>	DEFAULT	3
.L125	.symtab	0x80ab844	0	NOTYPE	<unknown>	DEFAULT	3
.L126	.symtab	0x80ab792	0	NOTYPE	<unknown>	DEFAULT	3
.L127	.symtab	0x80ab7af	0	NOTYPE	<unknown>	DEFAULT	3
.L128	.symtab	0x80ab7d6	0	NOTYPE	<unknown>	DEFAULT	3
.L129	.symtab	0x80ab7f3	0	NOTYPE	<unknown>	DEFAULT	3
.L130	.symtab	0x80ab61c	0	NOTYPE	<unknown>	DEFAULT	3
.L131	.symtab	0x80ab663	0	NOTYPE	<unknown>	DEFAULT	3
.L132	.symtab	0x80ab690	0	NOTYPE	<unknown>	DEFAULT	3
.L133	.symtab	0x80ab6c7	0	NOTYPE	<unknown>	DEFAULT	3
.L134	.symtab	0x80ab6e0	0	NOTYPE	<unknown>	DEFAULT	3
.L135	.symtab	0x80ab70d	0	NOTYPE	<unknown>	DEFAULT	3
.L136	.symtab	0x80ab745	0	NOTYPE	<unknown>	DEFAULT	3
.L137	.symtab	0x80ab759	0	NOTYPE	<unknown>	DEFAULT	3
.L14	.symtab	0x80aeea9	0	NOTYPE	<unknown>	DEFAULT	3
.L15	.symtab	0x80aee98	0	NOTYPE	<unknown>	DEFAULT	3
.L16	.symtab	0x80aee88	0	NOTYPE	<unknown>	DEFAULT	3
.L17	.symtab	0x80aee78	0	NOTYPE	<unknown>	DEFAULT	3
.L18	.symtab	0x80aee1c	0	NOTYPE	<unknown>	DEFAULT	3
.L19	.symtab	0x80aee0e	0	NOTYPE	<unknown>	DEFAULT	3
.L20	.symtab	0x80aedd5	0	NOTYPE	<unknown>	DEFAULT	3
.L21	.symtab	0x80aee01	0	NOTYPE	<unknown>	DEFAULT	3
.L258	.symtab	0x80ac1fc	0	NOTYPE	<unknown>	DEFAULT	3
.L259	.symtab	0x80abf30	0	NOTYPE	<unknown>	DEFAULT	3
.L260	.symtab	0x80ac087	0	NOTYPE	<unknown>	DEFAULT	3
.L261	.symtab	0x80ac250	0	NOTYPE	<unknown>	DEFAULT	3
.L262	.symtab	0x80ac079	0	NOTYPE	<unknown>	DEFAULT	3
.L264	.symtab	0x80abecd	0	NOTYPE	<unknown>	DEFAULT	3
.L266	.symtab	0x80abf26	0	NOTYPE	<unknown>	DEFAULT	3
.L267	.symtab	0x80ac11f	0	NOTYPE	<unknown>	DEFAULT	3
.L268	.symtab	0x80ac130	0	NOTYPE	<unknown>	DEFAULT	3
.L269	.symtab	0x80ac095	0	NOTYPE	<unknown>	DEFAULT	3
.L270	.symtab	0x80ac0b8	0	NOTYPE	<unknown>	DEFAULT	3
.L271	.symtab	0x80ac0d2	0	NOTYPE	<unknown>	DEFAULT	3
.L272	.symtab	0x80ac0f4	0	NOTYPE	<unknown>	DEFAULT	3
.L273	.symtab	0x80abf3b	0	NOTYPE	<unknown>	DEFAULT	3
.L274	.symtab	0x80abf74	0	NOTYPE	<unknown>	DEFAULT	3
.L275	.symtab	0x80ac029	0	NOTYPE	<unknown>	DEFAULT	3
.L276	.symtab	0x80abfef	0	NOTYPE	<unknown>	DEFAULT	3
.L277	.symtab	0x80ac06a	0	NOTYPE	<unknown>	DEFAULT	3
.L278	.symtab	0x80ac2c5	0	NOTYPE	<unknown>	DEFAULT	3
.L279	.symtab	0x80ac25e	0	NOTYPE	<unknown>	DEFAULT	3
.L280	.symtab	0x80ac270	0	NOTYPE	<unknown>	DEFAULT	3
.L281	.symtab	0x80ac147	0	NOTYPE	<unknown>	DEFAULT	3
.L282	.symtab	0x80ac19c	0	NOTYPE	<unknown>	DEFAULT	3
.L283	.symtab	0x80abef7	0	NOTYPE	<unknown>	DEFAULT	3
.L350	.symtab	0x80ac2d0	0	NOTYPE	<unknown>	DEFAULT	3
.L351	.symtab	0x80ac2da	0	NOTYPE	<unknown>	DEFAULT	3
.L352	.symtab	0x80ac2e9	0	NOTYPE	<unknown>	DEFAULT	3
.L353	.symtab	0x80ac2f3	0	NOTYPE	<unknown>	DEFAULT	3
.L354	.symtab	0x80ac302	0	NOTYPE	<unknown>	DEFAULT	3
.L355	.symtab	0x80ac30d	0	NOTYPE	<unknown>	DEFAULT	3
.L356	.symtab	0x80ac317	0	NOTYPE	<unknown>	DEFAULT	3
.L357	.symtab	0x80ac322	0	NOTYPE	<unknown>	DEFAULT	3
.L358	.symtab	0x80ac32e	0	NOTYPE	<unknown>	DEFAULT	3
.L359	.symtab	0x80ac33a	0	NOTYPE	<unknown>	DEFAULT	3
.L360	.symtab	0x80ac343	0	NOTYPE	<unknown>	DEFAULT	3
.L361	.symtab	0x80ac34d	0	NOTYPE	<unknown>	DEFAULT	3
.L362	.symtab	0x80ac35c	0	NOTYPE	<unknown>	DEFAULT	3
.L363	.symtab	0x80ac36b	0	NOTYPE	<unknown>	DEFAULT	3
.L364	.symtab	0x80ac37a	0	NOTYPE	<unknown>	DEFAULT	3
.L365	.symtab	0x80ac389	0	NOTYPE	<unknown>	DEFAULT	3
.L366	.symtab	0x80ac398	0	NOTYPE	<unknown>	DEFAULT	3
.L380	.symtab	0x80abec8	0	NOTYPE	<unknown>	DEFAULT	3
.L411	.symtab	0x80ac5a0	0	NOTYPE	<unknown>	DEFAULT	3
.L412	.symtab	0x80ac576	0	NOTYPE	<unknown>	DEFAULT	3
.L413	.symtab	0x80ac5e4	0	NOTYPE	<unknown>	DEFAULT	3
.L414	.symtab	0x80ac650	0	NOTYPE	<unknown>	DEFAULT	3
.L415	.symtab	0x80ac6b0	0	NOTYPE	<unknown>	DEFAULT	3
.L416	.symtab	0x80ac6f0	0	NOTYPE	<unknown>	DEFAULT	3
.L61	.symtab	0x80ab103	0	NOTYPE	<unknown>	DEFAULT	3
.L63	.symtab	0x80ab17f	0	NOTYPE	<unknown>	DEFAULT	3
.L64	.symtab	0x80ab15e	0	NOTYPE	<unknown>	DEFAULT	3
.L67	.symtab	0x80ab16e	0	NOTYPE	<unknown>	DEFAULT	3
.L68	.symtab	0x80ab166	0	NOTYPE	<unknown>	DEFAULT	3
.L69	.symtab	0x80ab132	0	NOTYPE	<unknown>	DEFAULT	3
.L70	.symtab	0x80ab152	0	NOTYPE	<unknown>	DEFAULT	3
.L74	.symtab	0x80ad5f3	0	NOTYPE	<unknown>	DEFAULT	3
.L76	.symtab	0x80ad66f	0	NOTYPE	<unknown>	DEFAULT	3
.L77	.symtab	0x80ad64e	0	NOTYPE	<unknown>	DEFAULT	3
.L80	.symtab	0x80ad65e	0	NOTYPE	<unknown>	DEFAULT	3
.L81	.symtab	0x80ad656	0	NOTYPE	<unknown>	DEFAULT	3
.L82	.symtab	0x80ad622	0	NOTYPE	<unknown>	DEFAULT	3
.L83	.symtab	0x80ad642	0	NOTYPE	<unknown>	DEFAULT	3
AddService	.symtab	0x8048865	807	FUNC	<unknown>	DEFAULT	3
CalcCrc32	.symtab	0x8049220	70	FUNC	<unknown>	DEFAULT	3
CalcFileCrc	.symtab	0x80492b2	172	FUNC	<unknown>	DEFAULT	3
CalcFindIpCrc	.symtab	0x804928c	38	FUNC	<unknown>	DEFAULT	3
CalcHeaderCrc	.symtab	0x8049266	38	FUNC	<unknown>	DEFAULT	3
CheckLKM	.symtab	0x804a289	107	FUNC	<unknown>	DEFAULT	3
CreateDir	.symtab	0x80483de	375	FUNC	<unknown>	DEFAULT	3
DNS_ADDR	.symtab	0x80ccee4	16	OBJECT	<unknown>	DEFAULT	21
DNS_ADDR2	.symtab	0x80ccef4	16	OBJECT	<unknown>	DEFAULT	21
DNS_PORT	.symtab	0x80ccf04	4	OBJECT	<unknown>	DEFAULT	21
DelService	.symtab	0x8048cdc	275	FUNC	<unknown>	DEFAULT	3
DelService_form_pid	.symtab	0x8048def	113	FUNC	<unknown>	DEFAULT	3
GetCpuInfo	.symtab	0x804c1fa	539	FUNC	<unknown>	DEFAULT	3
GetLanSpeed	.symtab	0x804c50d	243	FUNC	<unknown>	DEFAULT	3
GetMemStat	.symtab	0x804c105	245	FUNC	<unknown>	DEFAULT	3
Get_AllIP	.symtab	0x804ce89	375	FUNC	<unknown>	DEFAULT	3
HideFile	.symtab	0x804a3d7	151	FUNC	<unknown>	DEFAULT	3
HidePidPort	.symtab	0x804a365	114	FUNC	<unknown>	DEFAULT	3
InstallSYS	.symtab	0x8048b8c	336	FUNC	<unknown>	DEFAULT	3
LinuxExec	.symtab	0x8048efd	119	FUNC	<unknown>	DEFAULT	3
LinuxExec_Argv	.symtab	0x8048f74	132	FUNC	<unknown>	DEFAULT	3
LinuxExec_Argv2	.symtab	0x8048ff8	145	FUNC	<unknown>	DEFAULT	3
LogFacility	.symtab	0x80cd42c	4	OBJECT	<unknown>	DEFAULT	21
LogFile	.symtab	0x80cd428	4	OBJECT	<unknown>	DEFAULT	21
LogMask	.symtab	0x80cd420	4	OBJECT	<unknown>	DEFAULT	21
LogStat	.symtab	0x80d0a04	4	OBJECT	<unknown>	DEFAULT	22
LogTag	.symtab	0x80d0a08	4	OBJECT	<unknown>	DEFAULT	22
LogType	.symtab	0x80cd424	4	OBJECT	<unknown>	DEFAULT	21
MAGIC_STR	.symtab	0x80cd920	33	OBJECT	<unknown>	DEFAULT	22
MainList	.symtab	0x80cd960	264	OBJECT	<unknown>	DEFAULT	22
OpenProc	.symtab	0x804a260	41	FUNC	<unknown>	DEFAULT	3
ReadWord	.symtab	0x804c07c	137	FUNC	<unknown>	DEFAULT	3
SIZE_DNS_H	.symtab	0x80ccebc	4	OBJECT	<unknown>	DEFAULT	21
SIZE_DNS_T	.symtab	0x80ccec0	4	OBJECT	<unknown>	DEFAULT	21
SIZE_IP_H	.symtab	0x80cceb0	4	OBJECT	<unknown>	DEFAULT	21
SIZE_PSEUDO_HDR	.symtab	0x80ccec4	4	OBJECT	<unknown>	DEFAULT	21
SIZE_TCP_H	.symtab	0x80cceb8	4	OBJECT	<unknown>	DEFAULT	21
SIZE_UDP_H	.symtab	0x80cceb4	4	OBJECT	<unknown>	DEFAULT	21
SYS_BUF	.symtab	0x80cd700	1	OBJECT	<unknown>	DEFAULT	22
SyslogAddr	.symtab	0x80d0a20	110	OBJECT	<unknown>	DEFAULT	22
THREAD_NUM	.symtab	0x80d1b20	4	OBJECT	<unknown>	DEFAULT	22
_Exit	.symtab	0x8064988	19	FUNC	<unknown>	DEFAULT	3
_GLOBAL_OFFSET_TABLE_	.symtab	0x80ccb84	0	OBJECT	<unknown>	HIDDEN	20
_IO_2_1_stderr_	.symtab	0x80cd120	152	OBJECT	<unknown>	DEFAULT	21
_IO_2_1_stdin_	.symtab	0x80ccfe0	152	OBJECT	<unknown>	DEFAULT	21
_IO_2_1_stdout_	.symtab	0x80cd080	152	OBJECT	<unknown>	DEFAULT	21
_IO_adjust_column	.symtab	0x8059e40	60	FUNC	<unknown>	DEFAULT	3
_IO_adjust_wcolumn	.symtab	0x8081810	63	FUNC	<unknown>	DEFAULT	3
_IO_cleanup	.symtab	0x805a7a0	409	FUNC	<unknown>	DEFAULT	3
_IO_default_doallocate	.symtab	0x805b2a0	143	FUNC	<unknown>	DEFAULT	3
_IO_default_finish	.symtab	0x805b7a0	525	FUNC	<unknown>	DEFAULT	3
_IO_default_imbue	.symtab	0x8059f50	5	FUNC	<unknown>	DEFAULT	3
_IO_default_pbackfail	.symtab	0x805ad90	310	FUNC	<unknown>	DEFAULT	3
_IO_default_read	.symtab	0x8059f20	10	FUNC	<unknown>	DEFAULT	3
_IO_default_seek	.symtab	0x8059f00	15	FUNC	<unknown>	DEFAULT	3
_IO_default_seekoff	.symtab	0x8059d90	15	FUNC	<unknown>	DEFAULT	3
_IO_default_seekpos	.symtab	0x8059ca0	59	FUNC	<unknown>	DEFAULT	3
_IO_default_setbuf	.symtab	0x805b1a0	244	FUNC	<unknown>	DEFAULT	3
_IO_default_showmanyc	.symtab	0x8059f40	10	FUNC	<unknown>	DEFAULT	3
_IO_default_stat	.symtab	0x8059f10	10	FUNC	<unknown>	DEFAULT	3
_IO_default_sync	.symtab	0x8059d80	7	FUNC	<unknown>	DEFAULT	3
_IO_default_uflow	.symtab	0x8059c40	52	FUNC	<unknown>	DEFAULT	3
_IO_default_underflow	.symtab	0x8059c30	10	FUNC	<unknown>	DEFAULT	3
_IO_default_write	.symtab	0x8059f30	7	FUNC	<unknown>	DEFAULT	3
_IO_default_xsgetn	.symtab	0x805b6e0	185	FUNC	<unknown>	DEFAULT	3
_IO_default_xsputn	.symtab	0x805a110	225	FUNC	<unknown>	DEFAULT	3
_IO_do_write	.symtab	0x8059210	271	FUNC	<unknown>	DEFAULT	3
_IO_doallocbuf	.symtab	0x805b110	133	FUNC	<unknown>	DEFAULT	3
_IO_fclose	.symtab	0x80555c0	439	FUNC	<unknown>	DEFAULT	3
_IO_feof	.symtab	0x8056b60	154	FUNC	<unknown>	DEFAULT	3
_IO_file_attach	.symtab	0x8057250	133	FUNC	<unknown>	DEFAULT	3
_IO_file_close	.symtab	0x8057dd0	18	FUNC	<unknown>	DEFAULT	3
_IO_file_close_it	.symtab	0x8058780	581	FUNC	<unknown>	DEFAULT	3
_IO_file_close_mmap	.symtab	0x8057df0	60	FUNC	<unknown>	DEFAULT	3
_IO_file_doallocate	.symtab	0x8080a50	275	FUNC	<unknown>	DEFAULT	3
_IO_file_finish	.symtab	0x8059930	327	FUNC	<unknown>	DEFAULT	3
_IO_file_fopen	.symtab	0x80589d0	1388	FUNC	<unknown>	DEFAULT	3
_IO_file_init	.symtab	0x80584d0	51	FUNC	<unknown>	DEFAULT	3
_IO_file_jumps	.symtab	0x80b1880	84	OBJECT	<unknown>	DEFAULT	7
_IO_file_jumps_maybe_mmap	.symtab	0x80b1940	84	OBJECT	<unknown>	DEFAULT	7
_IO_file_jumps_mmap	.symtab	0x80b18e0	84	OBJECT	<unknown>	DEFAULT	7
_IO_file_open	.symtab	0x80583c0	263	FUNC	<unknown>	DEFAULT	3
_IO_file_overflow	.symtab	0x80594c0	1131	FUNC	<unknown>	DEFAULT	3
_IO_file_read	.symtab	0x8057e60	48	FUNC	<unknown>	DEFAULT	3
_IO_file_seek	.symtab	0x8057460	18	FUNC	<unknown>	DEFAULT	3
_IO_file_seekoff	.symtab	0x8057e90	1245	FUNC	<unknown>	DEFAULT	3
_IO_file_seekoff_maybe_mmap	.symtab	0x8057410	80	FUNC	<unknown>	DEFAULT	3
_IO_file_seekoff_mmap	.symtab	0x80572e0	297	FUNC	<unknown>	DEFAULT	3
_IO_file_setbuf	.symtab	0x8058370	75	FUNC	<unknown>	DEFAULT	3
_IO_file_setbuf_mmap	.symtab	0x8058700	115	FUNC	<unknown>	DEFAULT	3
_IO_file_stat	.symtab	0x8057e30	37	FUNC	<unknown>	DEFAULT	3
_IO_file_sync	.symtab	0x8059320	406	FUNC	<unknown>	DEFAULT	3
_IO_file_sync_mmap	.symtab	0x8057480	165	FUNC	<unknown>	DEFAULT	3
_IO_file_underflow	.symtab	0x8058510	495	FUNC	<unknown>	DEFAULT	3
_IO_file_underflow_maybe_mmap	.symtab	0x8057770	30	FUNC	<unknown>	DEFAULT	3
_IO_file_underflow_mmap	.symtab	0x8057b40	66	FUNC	<unknown>	DEFAULT	3
_IO_file_write	.symtab	0x8057d20	166	FUNC	<unknown>	DEFAULT	3
_IO_file_xsgetn	.symtab	0x8057b90	394	FUNC	<unknown>	DEFAULT	3
_IO_file_xsgetn_maybe_mmap	.symtab	0x8057720	67	FUNC	<unknown>	DEFAULT	3
_IO_file_xsgetn_mmap	.symtab	0x8057a40	242	FUNC	<unknown>	DEFAULT	3
_IO_file_xsputn	.symtab	0x8058f40	705	FUNC	<unknown>	DEFAULT	3
_IO_flush_all	.symtab	0x805a940	20	FUNC	<unknown>	DEFAULT	3
_IO_flush_all_linebuffered	.symtab	0x805a3c0	448	FUNC	<unknown>	DEFAULT	3
_IO_flush_all_lockp	.symtab	0x805a580	533	FUNC	<unknown>	DEFAULT	3
_IO_fopen	.symtab	0x80558e0	34	FUNC	<unknown>	DEFAULT	3
_IO_fprintf	.symtab	0x80803d0	36	FUNC	<unknown>	DEFAULT	3
_IO_free_backup_area	.symtab	0x805a0b0	93	FUNC	<unknown>	DEFAULT	3
_IO_free_wbackup_area	.symtab	0x8081890	104	FUNC	<unknown>	DEFAULT	3
_IO_ftell	.symtab	0x8080b70	436	FUNC	<unknown>	DEFAULT	3
_IO_funlockfile	.symtab	0x8080460	47	FUNC	<unknown>	DEFAULT	3
_IO_fwide	.symtab	0x80829f0	323	FUNC	<unknown>	DEFAULT	3
_IO_fwrite	.symtab	0x8080e00	297	FUNC	<unknown>	DEFAULT	3
_IO_getc	.symtab	0x8056d10	207	FUNC	<unknown>	DEFAULT	3
_IO_getdelim	.symtab	0x8080f50	624	FUNC	<unknown>	DEFAULT	3
_IO_getline	.symtab	0x809b8d0	55	FUNC	<unknown>	DEFAULT	3
_IO_getline_info	.symtab	0x809b760	353	FUNC	<unknown>	DEFAULT	3
_IO_helper_jumps	.symtab	0x80c04c0	84	OBJECT	<unknown>	DEFAULT	7
_IO_helper_overflow	.symtab	0x8077060	175	FUNC	<unknown>	DEFAULT	3
_IO_init	.symtab	0x805afe0	163	FUNC	<unknown>	DEFAULT	3
_IO_init_marker	.symtab	0x805b330	169	FUNC	<unknown>	DEFAULT	3
_IO_init_wmarker	.symtab	0x8082180	193	FUNC	<unknown>	DEFAULT	3
_IO_iter_begin	.symtab	0x8059f60	10	FUNC	<unknown>	DEFAULT	3
_IO_iter_end	.symtab	0x8059f70	7	FUNC	<unknown>	DEFAULT	3
_IO_iter_file	.symtab	0x8059f90	8	FUNC	<unknown>	DEFAULT	3
_IO_iter_next	.symtab	0x8059f80	11	FUNC	<unknown>	DEFAULT	3
_IO_least_marker	.symtab	0x8059b20	38	FUNC	<unknown>	DEFAULT	3
_IO_least_wmarker	.symtab	0x8081610	51	FUNC	<unknown>	DEFAULT	3
_IO_link_in	.symtab	0x805a960	400	FUNC	<unknown>	DEFAULT	3
_IO_list_all	.symtab	0x80cd1b8	4	OBJECT	<unknown>	DEFAULT	21
_IO_list_all_stamp	.symtab	0x80d04c0	4	OBJECT	<unknown>	DEFAULT	22
_IO_list_lock	.symtab	0x8059fa0	64	FUNC	<unknown>	DEFAULT	3
_IO_list_resetlock	.symtab	0x805a020	35	FUNC	<unknown>	DEFAULT	3
_IO_list_unlock	.symtab	0x8059fe0	56	FUNC	<unknown>	DEFAULT	3
_IO_marker_delta	.symtab	0x8059ed0	47	FUNC	<unknown>	DEFAULT	3
_IO_marker_difference	.symtab	0x8059eb0	17	FUNC	<unknown>	DEFAULT	3
_IO_mem_finish	.symtab	0x8082c50	106	FUNC	<unknown>	DEFAULT	3
_IO_mem_jumps	.symtab	0x80c0920	84	OBJECT	<unknown>	DEFAULT	7
_IO_mem_sync	.symtab	0x8082c00	76	FUNC	<unknown>	DEFAULT	3
_IO_new_do_write	.symtab	0x8059210	271	FUNC	<unknown>	DEFAULT	3
_IO_new_fclose	.symtab	0x80555c0	439	FUNC	<unknown>	DEFAULT	3
_IO_new_file_attach	.symtab	0x8057250	133	FUNC	<unknown>	DEFAULT	3
_IO_new_file_close_it	.symtab	0x8058780	581	FUNC	<unknown>	DEFAULT	3
_IO_new_file_finish	.symtab	0x8059930	327	FUNC	<unknown>	DEFAULT	3
_IO_new_file_fopen	.symtab	0x80589d0	1388	FUNC	<unknown>	DEFAULT	3
_IO_new_file_init	.symtab	0x80584d0	51	FUNC	<unknown>	DEFAULT	3
_IO_new_file_overflow	.symtab	0x80594c0	1131	FUNC	<unknown>	DEFAULT	3
_IO_new_file_seekoff	.symtab	0x8057e90	1245	FUNC	<unknown>	DEFAULT	3
_IO_new_file_setbuf	.symtab	0x8058370	75	FUNC	<unknown>	DEFAULT	3
_IO_new_file_sync	.symtab	0x8059320	406	FUNC	<unknown>	DEFAULT	3
_IO_new_file_underflow	.symtab	0x8058510	495	FUNC	<unknown>	DEFAULT	3
_IO_new_file_write	.symtab	0x8057d20	166	FUNC	<unknown>	DEFAULT	3
_IO_new_file_xsputn	.symtab	0x8058f40	705	FUNC	<unknown>	DEFAULT	3
_IO_new_fopen	.symtab	0x80558e0	34	FUNC	<unknown>	DEFAULT	3
_IO_no_init	.symtab	0x805aed0	259	FUNC	<unknown>	DEFAULT	3
_IO_old_init	.symtab	0x8059ce0	150	FUNC	<unknown>	DEFAULT	3
_IO_padn	.symtab	0x80811f0	203	FUNC	<unknown>	DEFAULT	3
_IO_remove_marker	.symtab	0x8059e80	40	FUNC	<unknown>	DEFAULT	3
_IO_seekmark	.symtab	0x805acd0	179	FUNC	<unknown>	DEFAULT	3
_IO_seekoff	.symtab	0x80813a0	233	FUNC	<unknown>	DEFAULT	3
_IO_seekoff_unlocked	.symtab	0x80812c0	224	FUNC	<unknown>	DEFAULT	3
_IO_seekwmark	.symtab	0x8081de0	181	FUNC	<unknown>	DEFAULT	3
_IO_setb	.symtab	0x805a050	93	FUNC	<unknown>	DEFAULT	3
_IO_sgetn	.symtab	0x8059c80	18	FUNC	<unknown>	DEFAULT	3
_IO_sputbackc	.symtab	0x8059da0	75	FUNC	<unknown>	DEFAULT	3
_IO_sputbackwc	.symtab	0x8081770	73	FUNC	<unknown>	DEFAULT	3
_IO_sscanf	.symtab	0x8080430	36	FUNC	<unknown>	DEFAULT	3
_IO_stderr	.symtab	0x80cd404	4	OBJECT	<unknown>	HIDDEN	21
_IO_stdfile_0_lock	.symtab	0x80d04d0	12	OBJECT	<unknown>	DEFAULT	22
_IO_stdfile_1_lock	.symtab	0x80d04dc	12	OBJECT	<unknown>	DEFAULT	22
_IO_stdfile_2_lock	.symtab	0x80d04e8	12	OBJECT	<unknown>	DEFAULT	22
_IO_stdin	.symtab	0x80cd3fc	4	OBJECT	<unknown>	HIDDEN	21
_IO_stdin_used	.symtab	0x80b05a4	4	OBJECT	<unknown>	DEFAULT	7
_IO_stdout	.symtab	0x80cd400	4	OBJECT	<unknown>	HIDDEN	21
_IO_str_count	.symtab	0x805bb60	23	FUNC	<unknown>	DEFAULT	3
_IO_str_finish	.symtab	0x805bb80	60	FUNC	<unknown>	DEFAULT	3
_IO_str_init_readonly	.symtab	0x805c150	132	FUNC	<unknown>	DEFAULT	3
_IO_str_init_static	.symtab	0x805c1e0	155	FUNC	<unknown>	DEFAULT	3
_IO_str_init_static_internal	.symtab	0x805beb0	145	FUNC	<unknown>	DEFAULT	3
_IO_str_jumps	.symtab	0x80b19a0	84	OBJECT	<unknown>	DEFAULT	7
_IO_str_overflow	.symtab	0x805bd40	359	FUNC	<unknown>	DEFAULT	3
_IO_str_pbackfail	.symtab	0x805bbc0	44	FUNC	<unknown>	DEFAULT	3
_IO_str_seekoff	.symtab	0x805bf50	510	FUNC	<unknown>	DEFAULT	3
_IO_str_underflow	.symtab	0x805bb10	66	FUNC	<unknown>	DEFAULT	3
_IO_strn_jumps	.symtab	0x80b17a0	84	OBJECT	<unknown>	DEFAULT	7
_IO_strn_overflow	.symtab	0x8056e00	99	FUNC	<unknown>	DEFAULT	3
_IO_sungetc	.symtab	0x8059df0	70	FUNC	<unknown>	DEFAULT	3
_IO_sungetwc	.symtab	0x80817c0	70	FUNC	<unknown>	DEFAULT	3
_IO_switch_to_backup_area	.symtab	0x8059b80	43	FUNC	<unknown>	DEFAULT	3
_IO_switch_to_get_mode	.symtab	0x8059bb0	115	FUNC	<unknown>	DEFAULT	3
_IO_switch_to_main_get_area	.symtab	0x8059b50	41	FUNC	<unknown>	DEFAULT	3
_IO_switch_to_main_wget_area	.symtab	0x8081650	43	FUNC	<unknown>	DEFAULT	3
_IO_switch_to_wbackup_area	.symtab	0x8081680	45	FUNC	<unknown>	DEFAULT	3
_IO_switch_to_wget_mode	.symtab	0x80816f0	121	FUNC	<unknown>	DEFAULT	3
_IO_un_link	.symtab	0x805aaf0	425	FUNC	<unknown>	DEFAULT	3
_IO_unsave_markers	.symtab	0x805b090	114	FUNC	<unknown>	DEFAULT	3
_IO_unsave_wmarkers	.symtab	0x8082100	120	FUNC	<unknown>	DEFAULT	3
_IO_vasprintf	.symtab	0x80a8310	356	FUNC	<unknown>	DEFAULT	3
_IO_vdprintf	.symtab	0x8082cc0	188	FUNC	<unknown>	DEFAULT	3
_IO_vfprintf	.symtab	0x80773f0	20246	FUNC	<unknown>	DEFAULT	3
_IO_vfprintf_internal	.symtab	0x80773f0	20246	FUNC	<unknown>	DEFAULT	3
_IO_vfscanf	.symtab	0x8095fc0	22346	FUNC	<unknown>	DEFAULT	3
_IO_vfscanf_internal	.symtab	0x8095fc0	22346	FUNC	<unknown>	DEFAULT	3
_IO_vsnprintf	.symtab	0x8056e70	213	FUNC	<unknown>	DEFAULT	3
_IO_vsscanf	.symtab	0x80814b0	140	FUNC	<unknown>	DEFAULT	3
_IO_wdefault_doallocate	.symtab	0x8081fc0	151	FUNC	<unknown>	DEFAULT	3
_IO_wdefault_finish	.symtab	0x8081bd0	130	FUNC	<unknown>	DEFAULT	3
_IO_wdefault_pbackfail	.symtab	0x8081c60	376	FUNC	<unknown>	DEFAULT	3
_IO_wdefault_uflow	.symtab	0x80816b0	52	FUNC	<unknown>	DEFAULT	3
_IO_wdefault_xsgetn	.symtab	0x8082400	213	FUNC	<unknown>	DEFAULT	3
_IO_wdefault_xsputn	.symtab	0x8081ea0	280	FUNC	<unknown>	DEFAULT	3
_IO_wdo_write	.symtab	0x80560c0	335	FUNC	<unknown>	DEFAULT	3
_IO_wdoallocbuf	.symtab	0x8082060	154	FUNC	<unknown>	DEFAULT	3
_IO_wfile_doallocate	.symtab	0x8080d50	169	FUNC	<unknown>	DEFAULT	3
_IO_wfile_jumps	.symtab	0x80b1680	84	OBJECT	<unknown>	DEFAULT	7
_IO_wfile_jumps_maybe_mmap	.symtab	0x80b1740	84	OBJECT	<unknown>	DEFAULT	7
_IO_wfile_jumps_mmap	.symtab	0x80b16e0	84	OBJECT	<unknown>	DEFAULT	7
_IO_wfile_overflow	.symtab	0x8056500	579	FUNC	<unknown>	DEFAULT	3
_IO_wfile_seekoff	.symtab	0x8055a90	1578	FUNC	<unknown>	DEFAULT	3
_IO_wfile_sync	.symtab	0x80563a0	346	FUNC	<unknown>	DEFAULT	3
_IO_wfile_underflow	.symtab	0x8056750	1000	FUNC	<unknown>	DEFAULT	3
_IO_wfile_underflow_maybe_mmap	.symtab	0x8055910	59	FUNC	<unknown>	DEFAULT	3
_IO_wfile_underflow_mmap	.symtab	0x8055950	307	FUNC	<unknown>	DEFAULT	3
_IO_wfile_xsputn	.symtab	0x8056210	393	FUNC	<unknown>	DEFAULT	3
_IO_wide_data_0	.symtab	0x80cd1c0	188	OBJECT	<unknown>	DEFAULT	21
_IO_wide_data_1	.symtab	0x80cd280	188	OBJECT	<unknown>	DEFAULT	21
_IO_wide_data_2	.symtab	0x80cd340	188	OBJECT	<unknown>	DEFAULT	21
_IO_wmarker_delta	.symtab	0x8081850	61	FUNC	<unknown>	DEFAULT	3
_IO_wpadn	.symtab	0x8081540	203	FUNC	<unknown>	DEFAULT	3
_IO_wsetb	.symtab	0x8081b60	97	FUNC	<unknown>	DEFAULT	3
_Jv_RegisterClasses	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
_L_lock_102	.symtab	0x8055783	16	FUNC	<unknown>	DEFAULT	3
_L_lock_106	.symtab	0x80682a5	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1091	.symtab	0x8050a8d	12	FUNC	<unknown>	DEFAULT	3
_L_lock_10969	.symtab	0x8063065	16	FUNC	<unknown>	DEFAULT	3
_L_lock_11078	.symtab	0x8063091	12	FUNC	<unknown>	DEFAULT	3
_L_lock_11265	.symtab	0x80630a9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_11360	.symtab	0x80630d5	12	FUNC	<unknown>	DEFAULT	3
_L_lock_116	.symtab	0x8053796	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1198	.symtab	0x806aa84	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1206	.symtab	0x80502a3	16	FUNC	<unknown>	DEFAULT	3
_L_lock_122	.symtab	0x80542de	16	FUNC	<unknown>	DEFAULT	3
_L_lock_122	.symtab	0x8055288	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1244	.symtab	0x8066ccc	16	FUNC	<unknown>	DEFAULT	3
_L_lock_12694	.symtab	0x80630ed	16	FUNC	<unknown>	DEFAULT	3
_L_lock_12751	.symtab	0x8063119	16	FUNC	<unknown>	DEFAULT	3
_L_lock_12843	.symtab	0x8063139	12	FUNC	<unknown>	DEFAULT	3
_L_lock_130	.symtab	0x8053d05	16	FUNC	<unknown>	DEFAULT	3
_L_lock_13011	.symtab	0x806315d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_13091	.symtab	0x8063199	12	FUNC	<unknown>	DEFAULT	3
_L_lock_13253	.symtab	0x80631b1	16	FUNC	<unknown>	DEFAULT	3
_L_lock_13355	.symtab	0x80631dd	12	FUNC	<unknown>	DEFAULT	3
_L_lock_13521	.symtab	0x80631e9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1358	.symtab	0x8062e09	12	FUNC	<unknown>	DEFAULT	3
_L_lock_13706	.symtab	0x8063209	16	FUNC	<unknown>	DEFAULT	3
_L_lock_13895	.symtab	0x8063229	16	FUNC	<unknown>	DEFAULT	3
_L_lock_140	.symtab	0x8092259	16	FUNC	<unknown>	DEFAULT	3
_L_lock_14084	.symtab	0x8063249	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1419	.symtab	0x8062e15	16	FUNC	<unknown>	DEFAULT	3
_L_lock_14258	.symtab	0x8063269	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1449	.symtab	0x80936aa	16	FUNC	<unknown>	DEFAULT	3
_L_lock_15157	.symtab	0x8063289	16	FUNC	<unknown>	DEFAULT	3
_L_lock_15208	.symtab	0x80632a9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1544	.symtab	0x8062e35	16	FUNC	<unknown>	DEFAULT	3
_L_lock_15489	.symtab	0x80632c9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1596	.symtab	0x807c31e	12	FUNC	<unknown>	DEFAULT	3
_L_lock_16044	.symtab	0x80632e9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1644	.symtab	0x8062e65	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1679	.symtab	0x8062e75	16	FUNC	<unknown>	DEFAULT	3
_L_lock_16810	.symtab	0x8063309	12	FUNC	<unknown>	DEFAULT	3
_L_lock_1711	.symtab	0x805b9e9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1711	.symtab	0x8062e95	12	FUNC	<unknown>	DEFAULT	3
_L_lock_1772	.symtab	0x805b9f9	12	FUNC	<unknown>	DEFAULT	3
_L_lock_180	.symtab	0x80542fe	16	FUNC	<unknown>	DEFAULT	3
_L_lock_1860	.symtab	0x8062ea1	12	FUNC	<unknown>	DEFAULT	3
_L_lock_188	.symtab	0x8073cb5	16	FUNC	<unknown>	DEFAULT	3
_L_lock_19	.symtab	0x8053ce5	16	FUNC	<unknown>	DEFAULT	3
_L_lock_193	.symtab	0x8081489	12	FUNC	<unknown>	DEFAULT	3
_L_lock_1961	.symtab	0x805ba21	16	FUNC	<unknown>	DEFAULT	3
_L_lock_20	.symtab	0x805429e	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2016	.symtab	0x80850a2	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2029	.symtab	0x805ba31	12	FUNC	<unknown>	DEFAULT	3
_L_lock_2047	.symtab	0x8056b38	12	FUNC	<unknown>	DEFAULT	3
_L_lock_2067	.symtab	0x80502c3	16	FUNC	<unknown>	DEFAULT	3
_L_lock_21	.symtab	0x8053776	16	FUNC	<unknown>	DEFAULT	3
_L_lock_21	.symtab	0x80540c7	16	FUNC	<unknown>	DEFAULT	3
_L_lock_21	.symtab	0x80af507	13	FUNC	<unknown>	DEFAULT	4
_L_lock_2120	.symtab	0x80936da	16	FUNC	<unknown>	DEFAULT	3
_L_lock_22	.symtab	0x8050243	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2241	.symtab	0x80502e3	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2251	.symtab	0x80850c2	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2299	.symtab	0x80850e2	13	FUNC	<unknown>	DEFAULT	3
_L_lock_24	.symtab	0x80520d9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2482	.symtab	0x805ba65	16	FUNC	<unknown>	DEFAULT	3
_L_lock_250	.symtab	0x8053d25	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2508	.symtab	0x805ba75	12	FUNC	<unknown>	DEFAULT	3
_L_lock_253	.symtab	0x80552a8	16	FUNC	<unknown>	DEFAULT	3
_L_lock_256	.symtab	0x80540e7	16	FUNC	<unknown>	DEFAULT	3
_L_lock_259	.symtab	0x80b03f1	13	FUNC	<unknown>	DEFAULT	5
_L_lock_2665	.symtab	0x805ba9d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_2691	.symtab	0x805baad	12	FUNC	<unknown>	DEFAULT	3
_L_lock_2718	.symtab	0x8059a77	12	FUNC	<unknown>	DEFAULT	3
_L_lock_277	.symtab	0x8050263	16	FUNC	<unknown>	DEFAULT	3
_L_lock_287	.symtab	0x80520f9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_29	.symtab	0x8056bfa	9	FUNC	<unknown>	DEFAULT	3
_L_lock_29	.symtab	0x8056ddf	12	FUNC	<unknown>	DEFAULT	3
_L_lock_3027	.symtab	0x8050303	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3070	.symtab	0x8062ead	16	FUNC	<unknown>	DEFAULT	3
_L_lock_31	.symtab	0x8056cf2	12	FUNC	<unknown>	DEFAULT	3
_L_lock_3126	.symtab	0x806aaa4	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3147	.symtab	0x8050323	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3378	.symtab	0x8062ecd	16	FUNC	<unknown>	DEFAULT	3
_L_lock_34	.symtab	0x8080d24	12	FUNC	<unknown>	DEFAULT	3
_L_lock_343	.symtab	0x809b739	12	FUNC	<unknown>	DEFAULT	3
_L_lock_3455	.symtab	0x8062eed	16	FUNC	<unknown>	DEFAULT	3
_L_lock_35	.symtab	0x8068bca	12	FUNC	<unknown>	DEFAULT	3
_L_lock_3525	.symtab	0x8062f0d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_357	.symtab	0x8066c9c	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3590	.symtab	0x8062f2d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_36	.symtab	0x8055777	12	FUNC	<unknown>	DEFAULT	3
_L_lock_3656	.symtab	0x8050353	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3670	.symtab	0x8062f4d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_37	.symtab	0x8062dd1	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3761	.symtab	0x8062f5d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3775	.symtab	0x8050373	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3844	.symtab	0x8062f7d	16	FUNC	<unknown>	DEFAULT	3
_L_lock_3915	.symtab	0x8062f8d	12	FUNC	<unknown>	DEFAULT	3
_L_lock_4163	.symtab	0x8062fa5	16	FUNC	<unknown>	DEFAULT	3
_L_lock_420	.symtab	0x80552d8	16	FUNC	<unknown>	DEFAULT	3
_L_lock_4245	.symtab	0x8050393	16	FUNC	<unknown>	DEFAULT	3
_L_lock_4309	.symtab	0x80503b3	16	FUNC	<unknown>	DEFAULT	3
_L_lock_4392	.symtab	0x8062fc5	12	FUNC	<unknown>	DEFAULT	3
_L_lock_44	.symtab	0x80811c0	12	FUNC	<unknown>	DEFAULT	3
_L_lock_4528	.symtab	0x80503d3	16	FUNC	<unknown>	DEFAULT	3
_L_lock_47	.symtab	0x8080f29	12	FUNC	<unknown>	DEFAULT	3
_L_lock_4725	.symtab	0x8062fdd	16	FUNC	<unknown>	DEFAULT	3
_L_lock_4841	.symtab	0x805bad5	16	FUNC	<unknown>	DEFAULT	3
_L_lock_4867	.symtab	0x805bae5	12	FUNC	<unknown>	DEFAULT	3
_L_lock_5047	.symtab	0x8062ffd	16	FUNC	<unknown>	DEFAULT	3
_L_lock_51	.symtab	0x8055268	16	FUNC	<unknown>	DEFAULT	3
_L_lock_53	.symtab	0x8062de1	12	FUNC	<unknown>	DEFAULT	3
_L_lock_5301	.symtab	0x806301d	12	FUNC	<unknown>	DEFAULT	3
_L_lock_58	.symtab	0x806877b	16	FUNC	<unknown>	DEFAULT	3
_L_lock_66	.symtab	0x80542be	16	FUNC	<unknown>	DEFAULT	3
_L_lock_672	.symtab	0x8066cac	16	FUNC	<unknown>	DEFAULT	3
_L_lock_6738	.symtab	0x8063041	12	FUNC	<unknown>	DEFAULT	3
_L_lock_716	.symtab	0x8074326	16	FUNC	<unknown>	DEFAULT	3
_L_lock_740	.symtab	0x8050283	16	FUNC	<unknown>	DEFAULT	3
_L_lock_772	.symtab	0x80af408	13	FUNC	<unknown>	DEFAULT	4
_L_lock_807	.symtab	0x807c312	12	FUNC	<unknown>	DEFAULT	3
_L_lock_878	.symtab	0x8050a71	14	FUNC	<unknown>	DEFAULT	3
_L_lock_907	.symtab	0x806b6d5	16	FUNC	<unknown>	DEFAULT	3
_L_lock_947	.symtab	0x805b9c9	16	FUNC	<unknown>	DEFAULT	3
_L_lock_971	.symtab	0x8050a7f	14	FUNC	<unknown>	DEFAULT	3
_L_robust_lock_151	.symtab	0x8050a4f	17	FUNC	<unknown>	DEFAULT	3
_L_robust_unlock_548	.symtab	0x8050f6a	17	FUNC	<unknown>	DEFAULT	3
_L_unlock_10	.symtab	0x8066c8c	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_10894	.symtab	0x8063059	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_10982	.symtab	0x8063075	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_11042	.symtab	0x8063085	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_11179	.symtab	0x806309d	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_11278	.symtab	0x80630b9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_11325	.symtab	0x80630c9	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_117	.symtab	0x8055793	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_124	.symtab	0x80540d7	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_12466	.symtab	0x80630e1	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_12711	.symtab	0x80630fd	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_12726	.symtab	0x806310d	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_1275	.symtab	0x806aa94	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_12763	.symtab	0x8063129	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_12935	.symtab	0x8063145	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_130	.symtab	0x8056d07	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_13002	.symtab	0x8063151	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_13023	.symtab	0x806316d	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_13043	.symtab	0x806317d	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_13058	.symtab	0x806318d	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_132	.symtab	0x8056df4	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_13200	.symtab	0x80631a5	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_13266	.symtab	0x80631c1	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_13320	.symtab	0x80631d1	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_13629	.symtab	0x80631f9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_137	.symtab	0x8055298	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_13731	.symtab	0x8063219	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_13901	.symtab	0x8063239	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_14113	.symtab	0x8063259	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_14284	.symtab	0x8063279	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_144	.symtab	0x8062ded	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_1458	.symtab	0x8062e25	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_146	.symtab	0x80542ee	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_148	.symtab	0x8068bdf	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_148	.symtab	0x8080d30	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_15171	.symtab	0x8063299	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_15312	.symtab	0x80632b9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_15517	.symtab	0x80632d9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_156	.symtab	0x8062df9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_1591	.symtab	0x8062e45	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_16071	.symtab	0x80632f9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_1609	.symtab	0x8062e55	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_1623	.symtab	0x80936ba	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_16837	.symtab	0x8063315	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_1697	.symtab	0x8062e85	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_171	.symtab	0x80557a3	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_177	.symtab	0x8053d15	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_178	.symtab	0x8092269	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_180	.symtab	0x8080f35	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_1809	.symtab	0x805ba05	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_1843	.symtab	0x805ba11	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_187	.symtab	0x80682b5	13	FUNC	<unknown>	DEFAULT	3
_L_unlock_1888	.symtab	0x80502b3	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_19	.symtab	0x808048f	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_193	.symtab	0x805430e	13	FUNC	<unknown>	DEFAULT	3
_L_unlock_2021	.symtab	0x80936ca	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2081	.symtab	0x80850b2	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2095	.symtab	0x805ba3d	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_213	.symtab	0x8080f3e	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_2135	.symtab	0x80936ea	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2159	.symtab	0x807c32a	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_216	.symtab	0x8073cc5	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2187	.symtab	0x80502d3	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2188	.symtab	0x805ba49	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2277	.symtab	0x80850d2	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2281	.symtab	0x8056b44	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_2311	.symtab	0x80850ef	13	FUNC	<unknown>	DEFAULT	3
_L_unlock_233	.symtab	0x8080d3c	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_2331	.symtab	0x80936fa	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2337	.symtab	0x80502f3	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2386	.symtab	0x805ba59	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_248	.symtab	0x8050253	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_252	.symtab	0x8081495	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_254	.symtab	0x80557af	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_2552	.symtab	0x8056b50	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_2559	.symtab	0x805ba81	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2616	.symtab	0x805ba91	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_271	.symtab	0x80b03fe	13	FUNC	<unknown>	DEFAULT	5
_L_unlock_2768	.symtab	0x805bab9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_2842	.symtab	0x805bac9	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_2854	.symtab	0x8059a83	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_2967	.symtab	0x8059a8f	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_297	.symtab	0x80552b8	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_30	.symtab	0x805b9ad	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_302	.symtab	0x808149e	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_3032	.symtab	0x8050313	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3084	.symtab	0x8062ebd	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_312	.symtab	0x8052109	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3156	.symtab	0x806aab4	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_325	.symtab	0x8050273	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3273	.symtab	0x806aac4	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3291	.symtab	0x8050333	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3293	.symtab	0x806aad4	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_33	.symtab	0x80542ae	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3381	.symtab	0x806aae4	13	FUNC	<unknown>	DEFAULT	3
_L_unlock_3392	.symtab	0x8062edd	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3467	.symtab	0x8062efd	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_35	.symtab	0x8053cf5	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3539	.symtab	0x8062f1d	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3596	.symtab	0x8050343	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3612	.symtab	0x8062f3d	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_366	.symtab	0x8053d35	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3689	.symtab	0x8050363	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3775	.symtab	0x8062f6d	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_380	.symtab	0x80540f7	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_3814	.symtab	0x8050383	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_392	.symtab	0x80552c8	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_40	.symtab	0x80af514	13	FUNC	<unknown>	DEFAULT	4
_L_unlock_401	.symtab	0x80811d8	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_4047	.symtab	0x8062f99	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_4277	.symtab	0x80503a3	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_4297	.symtab	0x8062fb5	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_4342	.symtab	0x80503c3	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_4554	.symtab	0x8062fd1	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_4640	.symtab	0x80503e3	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_4944	.symtab	0x805baf1	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_4985	.symtab	0x8062fed	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_5053	.symtab	0x805bb01	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_5083	.symtab	0x806300d	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_511	.symtab	0x8053d45	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_52	.symtab	0x80520e9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_53	.symtab	0x805b9bd	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_557	.symtab	0x8053d55	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_59	.symtab	0x8056c03	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_601	.symtab	0x809b745	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_6038	.symtab	0x8063029	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_612	.symtab	0x8050a60	17	FUNC	<unknown>	DEFAULT	3
_L_unlock_6657	.symtab	0x8063035	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_67	.symtab	0x806878b	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_672	.symtab	0x8053d65	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_6754	.symtab	0x806304d	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_70	.symtab	0x8056deb	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_702	.symtab	0x8066cbc	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_742	.symtab	0x8050f7b	14	FUNC	<unknown>	DEFAULT	3
_L_unlock_785	.symtab	0x807c306	12	FUNC	<unknown>	DEFAULT	3
_L_unlock_788	.symtab	0x80af415	13	FUNC	<unknown>	DEFAULT	4
_L_unlock_80	.symtab	0x8055278	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_82	.symtab	0x8056cfe	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_832	.symtab	0x8074336	13	FUNC	<unknown>	DEFAULT	3
_L_unlock_86	.symtab	0x80542ce	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_867	.symtab	0x8050293	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_892	.symtab	0x8050f89	14	FUNC	<unknown>	DEFAULT	3
_L_unlock_904	.symtab	0x8073cd5	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_925	.symtab	0x806b6e5	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_97	.symtab	0x8068bd6	9	FUNC	<unknown>	DEFAULT	3
_L_unlock_978	.symtab	0x805b9d9	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_98	.symtab	0x8053786	16	FUNC	<unknown>	DEFAULT	3
_L_unlock_98	.symtab	0x80811cc	12	FUNC	<unknown>	DEFAULT	3
_Unwind_Backtrace	.symtab	0x80acb60	213	FUNC	<unknown>	HIDDEN	3
_Unwind_DeleteException	.symtab	0x80aafd0	31	FUNC	<unknown>	HIDDEN	3
_Unwind_FindEnclosingFunction	.symtab	0x80ab290	55	FUNC	<unknown>	HIDDEN	3
_Unwind_Find_FDE	.symtab	0x80ae620	475	FUNC	<unknown>	HIDDEN	3
_Unwind_ForcedUnwind	.symtab	0x80ad1a0	265	FUNC	<unknown>	HIDDEN	3
_Unwind_ForcedUnwind_Phase2	.symtab	0x80acea0	257	FUNC	<unknown>	DEFAULT	3
_Unwind_GetCFA	.symtab	0x80aaf60	11	FUNC	<unknown>	HIDDEN	3
_Unwind_GetDataRelBase	.symtab	0x80aafb0	11	FUNC	<unknown>	HIDDEN	3
_Unwind_GetGR	.symtab	0x80ab060	101	FUNC	<unknown>	HIDDEN	3
_Unwind_GetIP	.symtab	0x80aaf70	11	FUNC	<unknown>	HIDDEN	3
_Unwind_GetIPInfo	.symtab	0x80ab880	22	FUNC	<unknown>	HIDDEN	3
_Unwind_GetLanguageSpecificData	.symtab	0x80aaf90	11	FUNC	<unknown>	HIDDEN	3
_Unwind_GetRegionStart	.symtab	0x80aafa0	11	FUNC	<unknown>	HIDDEN	3
_Unwind_GetTextRelBase	.symtab	0x80aafc0	11	FUNC	<unknown>	HIDDEN	3
_Unwind_IteratePhdrCallback	.symtab	0x80ae800	1309	FUNC	<unknown>	DEFAULT	3
_Unwind_RaiseException	.symtab	0x80acd00	407	FUNC	<unknown>	HIDDEN	3
_Unwind_RaiseException_Phase2	.symtab	0x80acc40	188	FUNC	<unknown>	DEFAULT	3
_Unwind_Resume	.symtab	0x80ad0b0	233	FUNC	<unknown>	HIDDEN	3
_Unwind_Resume_or_Rethrow	.symtab	0x80acfb0	249	FUNC	<unknown>	HIDDEN	3
_Unwind_SetGR	.symtab	0x80aaff0	106	FUNC	<unknown>	HIDDEN	3
_Unwind_SetIP	.symtab	0x80aaf80	14	FUNC	<unknown>	HIDDEN	3
__CTOR_END__	.symtab	0x80ccb3c	0	OBJECT	<unknown>	DEFAULT	15
__CTOR_LIST__	.symtab	0x80ccb38	0	OBJECT	<unknown>	DEFAULT	15
__DTOR_END__	.symtab	0x80ccb48	0	OBJECT	<unknown>	HIDDEN	16
__DTOR_LIST__	.symtab	0x80ccb40	0	OBJECT	<unknown>	DEFAULT	16
__EH_FRAME_BEGIN__	.symtab	0x80c5adc	0	OBJECT	<unknown>	DEFAULT	11
__FRAME_END__	.symtab	0x80cba20	0	OBJECT	<unknown>	DEFAULT	11
__JCR_END__	.symtab	0x80ccb4c	0	OBJECT	<unknown>	DEFAULT	17
__JCR_LIST__	.symtab	0x80ccb4c	0	OBJECT	<unknown>	DEFAULT	17
____strtod_l_internal	.symtab	0x80a3a40	8404	FUNC	<unknown>	DEFAULT	3
____strtof_l_internal	.symtab	0x80a1800	7471	FUNC	<unknown>	DEFAULT	3
____strtol_l_internal	.symtab	0x80548a0	1065	FUNC	<unknown>	DEFAULT	3
____strtold_l_internal	.symtab	0x80a6020	8391	FUNC	<unknown>	DEFAULT	3
____strtoll_l_internal	.symtab	0x80a0660	1511	FUNC	<unknown>	DEFAULT	3
____strtoul_l_internal	.symtab	0x80760f0	1026	FUNC	<unknown>	DEFAULT	3
____strtoull_l_internal	.symtab	0x80a0c80	1474	FUNC	<unknown>	DEFAULT	3
___asprintf	.symtab	0x80a82e0	36	FUNC	<unknown>	DEFAULT	3
___brk_addr	.symtab	0x80d1440	4	OBJECT	<unknown>	DEFAULT	22
___fxstat64	.symtab	0x8065dc0	54	FUNC	<unknown>	DEFAULT	3
___newselect_nocancel	.symtab	0x806621a	45	FUNC	<unknown>	DEFAULT	3
___printf_fp	.symtab	0x807c6c0	9363	FUNC	<unknown>	DEFAULT	3
___vfprintf_chk	.symtab	0x8068ae0	234	FUNC	<unknown>	DEFAULT	3
___vfscanf	.symtab	0x809b710	41	FUNC	<unknown>	DEFAULT	3
___xstat64	.symtab	0x8065d80	54	FUNC	<unknown>	DEFAULT	3
__access	.symtab	0x80887d0	31	FUNC	<unknown>	DEFAULT	3
__add_to_environ	.symtab	0x8053910	867	FUNC	<unknown>	DEFAULT	3
__after_morecore_hook	.symtab	0x80d0508	4	OBJECT	<unknown>	DEFAULT	22
__argz_add_sep	.symtab	0x8083630	150	FUNC	<unknown>	DEFAULT	3
__argz_count	.symtab	0x80834f0	53	FUNC	<unknown>	DEFAULT	3
__argz_create_sep	.symtab	0x8083530	175	FUNC	<unknown>	DEFAULT	3
__argz_stringify	.symtab	0x80835e0	76	FUNC	<unknown>	DEFAULT	3
__asprintf	.symtab	0x80a82e0	36	FUNC	<unknown>	DEFAULT	3
__atomic_writev_replacement	.symtab	0x8088a60	345	FUNC	<unknown>	DEFAULT	3
__attr_list	.symtab	0x80d1b2c	4	OBJECT	<unknown>	DEFAULT	22
__attr_list_lock	.symtab	0x80cda8c	4	OBJECT	<unknown>	DEFAULT	22
__backtrace	.symtab	0x80687a0	211	FUNC	<unknown>	DEFAULT	3
__backtrace_symbols_fd	.symtab	0x8068900	465	FUNC	<unknown>	DEFAULT	3
__brk	.symtab	0x8088a20	56	FUNC	<unknown>	DEFAULT	3
__bsd_signal	.symtab	0x80532a0	201	FUNC	<unknown>	DEFAULT	3
__bss_start	.symtab	0x80cd6e0	0	NOTYPE	<unknown>	DEFAULT	SHN_ABS
__calloc	.symtab	0x8060e70	842	FUNC	<unknown>	DEFAULT	3
__cfree	.symtab	0x80627b0	410	FUNC	<unknown>	DEFAULT	3
__chdir	.symtab	0x8088810	27	FUNC	<unknown>	DEFAULT	3
__clearenv	.symtab	0x80537b0	112	FUNC	<unknown>	DEFAULT	3
__clone	.symtab	0x8067d50	119	FUNC	<unknown>	DEFAULT	3
__close	.symtab	0x8051970	80	FUNC	<unknown>	DEFAULT	3
__close_nocancel	.symtab	0x805197a	27	FUNC	<unknown>	DEFAULT	3
__connect	.symtab	0x8051ad0	87	FUNC	<unknown>	DEFAULT	3
__connect_internal	.symtab	0x8051ad0	87	FUNC	<unknown>	DEFAULT	3
__correctly_grouped_prefixmb	.symtab	0x80552f0	589	FUNC	<unknown>	DEFAULT	3
__ctype_b_loc	.symtab	0x8053100	50	FUNC	<unknown>	DEFAULT	3
__ctype_tolower_loc	.symtab	0x8053080	50	FUNC	<unknown>	DEFAULT	3
__ctype_toupper_loc	.symtab	0x80530c0	50	FUNC	<unknown>	DEFAULT	3
__curbrk	.symtab	0x80d1440	4	OBJECT	<unknown>	DEFAULT	22
__current_locale_name	.symtab	0x80a0540	27	FUNC	<unknown>	DEFAULT	3
__cxa_atexit	.symtab	0x8053f90	311	FUNC	<unknown>	DEFAULT	3
__data_start	.symtab	0x80ccba0	0	NOTYPE	<unknown>	DEFAULT	21
__daylight	.symtab	0x80d13a0	4	OBJECT	<unknown>	DEFAULT	22
__dcgettext	.symtab	0x8092280	57	FUNC	<unknown>	DEFAULT	3
__dcigettext	.symtab	0x8092f00	1962	FUNC	<unknown>	DEFAULT	3
__deallocate_stack	.symtab	0x804f290	325	FUNC	<unknown>	DEFAULT	3
__default_morecore	.symtab	0x8063330	34	FUNC	<unknown>	DEFAULT	3
__default_stacksize	.symtab	0x80ccf24	4	OBJECT	<unknown>	DEFAULT	21
__deregister_frame	.symtab	0x80ae320	49	FUNC	<unknown>	HIDDEN	3
__deregister_frame_info	.symtab	0x80ae300	19	FUNC	<unknown>	HIDDEN	3
__deregister_frame_info_bases	.symtab	0x80ae210	233	FUNC	<unknown>	HIDDEN	3
__dl_iterate_phdr	.symtab	0x80af170	239	FUNC	<unknown>	DEFAULT	3
__dladdr	.symtab	0x809bf10	31	FUNC	<unknown>	DEFAULT	3
__dladdr1	.symtab	0x809bf30	86	FUNC	<unknown>	DEFAULT	3
__dlclose	.symtab	0x80a8580	25	FUNC	<unknown>	DEFAULT	3
__dlerror	.symtab	0x809ba90	535	FUNC	<unknown>	DEFAULT	3
__dlinfo	.symtab	0x809bf90	52	FUNC	<unknown>	DEFAULT	3
__dlmopen	.symtab	0x809c090	78	FUNC	<unknown>	DEFAULT	3
__dlopen	.symtab	0x80a8480	72	FUNC	<unknown>	DEFAULT	3
__dlsym	.symtab	0x80a85b0	96	FUNC	<unknown>	DEFAULT	3
__dlvsym	.symtab	0x80a8630	102	FUNC	<unknown>	DEFAULT	3
__do_global_ctors_aux	.symtab	0x80af350	0	FUNC	<unknown>	DEFAULT	3
__do_global_dtors_aux	.symtab	0x8048160	0	FUNC	<unknown>	DEFAULT	3
__dprintf	.symtab	0x8080400	36	FUNC	<unknown>	DEFAULT	3
__dso_handle	.symtab	0x80b05a8	0	OBJECT	<unknown>	HIDDEN	7
__dup2	.symtab	0x80887f0	31	FUNC	<unknown>	DEFAULT	3
__elf_set___libc_atexit_element__IO_cleanup__	.symtab	0x80c5ad0	4	OBJECT	<unknown>	DEFAULT	9
__elf_set___libc_subfreeres_element_buffer_free__	.symtab	0x80c5aa4	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5aa0	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5aa8	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5aac	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5ab0	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5ab4	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5ab8	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5abc	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5ac4	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5ac8	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_free_mem__	.symtab	0x80c5acc	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_subfreeres_element_res_thread_freeres__	.symtab	0x80c5ac0	4	OBJECT	<unknown>	DEFAULT	8
__elf_set___libc_thread_subfreeres_element_arena_thread_freeres__	.symtab	0x80c5ad4	4	OBJECT	<unknown>	DEFAULT	10
__elf_set___libc_thread_subfreeres_element_res_thread_freeres__	.symtab	0x80c5ad8	4	OBJECT	<unknown>	DEFAULT	10
__environ	.symtab	0x80d09f8	4	OBJECT	<unknown>	DEFAULT	22
__errno_location	.symtab	0x8052130	17	FUNC	<unknown>	DEFAULT	3
__execve	.symtab	0x80649a0	57	FUNC	<unknown>	DEFAULT	3
__exit_funcs	.symtab	0x80ccf2c	4	OBJECT	<unknown>	DEFAULT	21
__exit_thread	.symtab	0x8065ca0	26	FUNC	<unknown>	DEFAULT	3
__fcloseall	.symtab	0x8056f50	9	FUNC	<unknown>	DEFAULT	3
__fcntl	.symtab	0x8051a10	177	FUNC	<unknown>	DEFAULT	3
__fcntl_nocancel	.symtab	0x80519c0	69	FUNC	<unknown>	DEFAULT	3
__find_in_stack_list	.symtab	0x804e860	131	FUNC	<unknown>	DEFAULT	3
__find_specmb	.symtab	0x80804a0	117	FUNC	<unknown>	DEFAULT	3
__fini_array_end	.symtab	0x80ccb38	0	NOTYPE	<unknown>	HIDDEN	14
__fini_array_start	.symtab	0x80ccb38	0	NOTYPE	<unknown>	HIDDEN	14
__fopen_internal	.symtab	0x8055800	218	FUNC	<unknown>	DEFAULT	3
__fopen_maybe_mmap	.symtab	0x80557c0	63	FUNC	<unknown>	DEFAULT	3
__fork	.symtab	0x8052120	9	FUNC	<unknown>	DEFAULT	3
__fork_generation	.symtab	0x80d1b30	4	OBJECT	<unknown>	DEFAULT	22
__fork_generation_pointer	.symtab	0x80d1c08	4	OBJECT	<unknown>	DEFAULT	22
__fork_handlers	.symtab	0x80d1c0c	4	OBJECT	<unknown>	DEFAULT	22
__fork_lock	.symtab	0x80d0aa0	4	OBJECT	<unknown>	DEFAULT	22
__fprintf	.symtab	0x80803d0	36	FUNC	<unknown>	DEFAULT	3
__fpu_control	.symtab	0x80cd678	2	OBJECT	<unknown>	DEFAULT	21
__frame_state_for	.symtab	0x80abd20	298	FUNC	<unknown>	HIDDEN	3
__free	.symtab	0x80627b0	410	FUNC	<unknown>	DEFAULT	3
__free_hook	.symtab	0x80d0504	4	OBJECT	<unknown>	DEFAULT	22
__free_stack_cache	.symtab	0x804ea10	157	FUNC	<unknown>	DEFAULT	3
__free_tcb	.symtab	0x804f3e0	70	FUNC	<unknown>	DEFAULT	3
__fsetlocking	.symtab	0x8082d80	56	FUNC	<unknown>	DEFAULT	3
__funlockfile	.symtab	0x8080460	47	FUNC	<unknown>	DEFAULT	3
__fxstat64	.symtab	0x8065dc0	54	FUNC	<unknown>	DEFAULT	3
__gcc_personality_v0	.symtab	0x80aef40	538	FUNC	<unknown>	HIDDEN	3
__gconv	.symtab	0x80a03d0	354	FUNC	<unknown>	DEFAULT	3
__gconv_alias_compare	.symtab	0x8069d40	25	FUNC	<unknown>	DEFAULT	3
__gconv_alias_db	.symtab	0x80d1cd8	4	OBJECT	<unknown>	DEFAULT	22
__gconv_btwoc_ascii	.symtab	0x806b8d0	17	FUNC	<unknown>	DEFAULT	3
__gconv_close	.symtab	0x8091ad0	145	FUNC	<unknown>	DEFAULT	3
__gconv_close_transform	.symtab	0x8069ea0	181	FUNC	<unknown>	DEFAULT	3
__gconv_compare_alias	.symtab	0x8069dc0	219	FUNC	<unknown>	DEFAULT	3
__gconv_compare_alias_cache	.symtab	0x8070280	413	FUNC	<unknown>	DEFAULT	3
__gconv_find_shlib	.symtab	0x80709a0	397	FUNC	<unknown>	DEFAULT	3
__gconv_find_transform	.symtab	0x806a850	564	FUNC	<unknown>	DEFAULT	3
__gconv_get_alias_db	.symtab	0x8069ce0	10	FUNC	<unknown>	DEFAULT	3
__gconv_get_builtin_trans	.symtab	0x806b700	450	FUNC	<unknown>	DEFAULT	3
__gconv_get_cache	.symtab	0x806ff80	10	FUNC	<unknown>	DEFAULT	3
__gconv_get_modules_db	.symtab	0x8069cd0	10	FUNC	<unknown>	DEFAULT	3
__gconv_get_path	.symtab	0x806afd0	730	FUNC	<unknown>	DEFAULT	3
__gconv_load_cache	.symtab	0x80700a0	479	FUNC	<unknown>	DEFAULT	3
__gconv_lock	.symtab	0x80d1cd4	4	OBJECT	<unknown>	DEFAULT	22
__gconv_lookup_cache	.symtab	0x8070420	1216	FUNC	<unknown>	DEFAULT	3
__gconv_max_path_elem_len	.symtab	0x80d1ce0	4	OBJECT	<unknown>	DEFAULT	22
__gconv_modules_db	.symtab	0x80d1cd0	4	OBJECT	<unknown>	DEFAULT	22
__gconv_open	.symtab	0x809fcd0	1786	FUNC	<unknown>	DEFAULT	3
__gconv_path_elem	.symtab	0x80d1ce4	4	OBJECT	<unknown>	DEFAULT	22
__gconv_path_envvar	.symtab	0x80d1cdc	4	OBJECT	<unknown>	DEFAULT	22
__gconv_read_conf	.symtab	0x806b2b0	1061	FUNC	<unknown>	DEFAULT	3
__gconv_release_cache	.symtab	0x806ff90	26	FUNC	<unknown>	DEFAULT	3
__gconv_release_shlib	.symtab	0x8070950	34	FUNC	<unknown>	DEFAULT	3
__gconv_release_step	.symtab	0x8069d60	85	FUNC	<unknown>	DEFAULT	3
__gconv_transform_ascii_internal	.symtab	0x806cb00	891	FUNC	<unknown>	DEFAULT	3
__gconv_transform_internal_ascii	.symtab	0x806c4d0	1573	FUNC	<unknown>	DEFAULT	3
__gconv_transform_internal_ucs2	.symtab	0x806b8f0	1688	FUNC	<unknown>	DEFAULT	3
__gconv_transform_internal_ucs2reverse	.symtab	0x806d2e0	1693	FUNC	<unknown>	DEFAULT	3
__gconv_transform_internal_ucs4	.symtab	0x806e370	895	FUNC	<unknown>	DEFAULT	3
__gconv_transform_internal_ucs4le	.symtab	0x806e6f0	879	FUNC	<unknown>	DEFAULT	3
__gconv_transform_internal_utf8	.symtab	0x806f720	2138	FUNC	<unknown>	DEFAULT	3
__gconv_transform_ucs2_internal	.symtab	0x806bf90	1343	FUNC	<unknown>	DEFAULT	3
__gconv_transform_ucs2reverse_internal	.symtab	0x806d980	1374	FUNC	<unknown>	DEFAULT	3
__gconv_transform_ucs4_internal	.symtab	0x806dee0	1164	FUNC	<unknown>	DEFAULT	3
__gconv_transform_ucs4le_internal	.symtab	0x806ce80	1111	FUNC	<unknown>	DEFAULT	3
__gconv_transform_utf8_internal	.symtab	0x806ea60	3253	FUNC	<unknown>	DEFAULT	3
__gconv_translit_find	.symtab	0x8091c60	610	FUNC	<unknown>	DEFAULT	3
__gconv_transliterate	.symtab	0x8091ef0	873	FUNC	<unknown>	DEFAULT	3
__get_avphys_pages	.symtab	0x8067940	14	FUNC	<unknown>	DEFAULT	3
__get_nprocs	.symtab	0x8067b90	323	FUNC	<unknown>	DEFAULT	3
__get_nprocs_conf	.symtab	0x8067b90	323	FUNC	<unknown>	DEFAULT	3
__get_phys_pages	.symtab	0x8067950	14	FUNC	<unknown>	DEFAULT	3
__getclktck	.symtab	0x8067ce0	20	FUNC	<unknown>	DEFAULT	3
__getcwd	.symtab	0x8088830	234	FUNC	<unknown>	DEFAULT	3
__getdelim	.symtab	0x8080f50	624	FUNC	<unknown>	DEFAULT	3
__getdtablesize	.symtab	0x80661e0	41	FUNC	<unknown>	DEFAULT	3
__getegid	.symtab	0x80887a0	12	FUNC	<unknown>	DEFAULT	3
__geteuid	.symtab	0x8088780	12	FUNC	<unknown>	DEFAULT	3
__getgid	.symtab	0x8088790	12	FUNC	<unknown>	DEFAULT	3
__gethostname	.symtab	0x809d0b0	140	FUNC	<unknown>	DEFAULT	3
__getpagesize	.symtab	0x80661c0	23	FUNC	<unknown>	DEFAULT	3
__getpid	.symtab	0x8064e00	49	FUNC	<unknown>	DEFAULT	3
__getrlimit	.symtab	0x80660d0	54	FUNC	<unknown>	DEFAULT	3
__getsockname	.symtab	0x8067ea0	30	FUNC	<unknown>	DEFAULT	3
__getsockopt	.symtab	0x8067ec0	30	FUNC	<unknown>	DEFAULT	3
__gettext_extract_plural	.symtab	0x8075700	266	FUNC	<unknown>	DEFAULT	3
__gettext_free_exp	.symtab	0x8074b70	523	FUNC	<unknown>	DEFAULT	3
__gettext_germanic_plural	.symtab	0x80bfcc8	20	OBJECT	<unknown>	DEFAULT	7
__gettextparse	.symtab	0x8074e70	2186	FUNC	<unknown>	DEFAULT	3
__gettimeofday	.symtab	0x8064480	31	FUNC	<unknown>	DEFAULT	3
__gettimeofday_internal	.symtab	0x8064480	31	FUNC	<unknown>	DEFAULT	3
__getuid	.symtab	0x8088770	12	FUNC	<unknown>	DEFAULT	3
__gmon_start__	.symtab	0x0	0	NOTYPE	<unknown>	DEFAULT	SHN_UNDEF
__guess_grouping	.symtab	0x807c340	76	FUNC	<unknown>	DEFAULT	3
__hash_string	.symtab	0x8075810	59	FUNC	<unknown>	DEFAULT	3
__i686.get_pc_thunk.bx	.symtab	0x80ad2ad	0	FUNC	<unknown>	HIDDEN	3
__i686.get_pc_thunk.cx	.symtab	0x80ad2a9	0	FUNC	<unknown>	HIDDEN	3
__inet_aton	.symtab	0x8068300	343	FUNC	<unknown>	DEFAULT	3
__init_array_end	.symtab	0x80ccb38	0	NOTYPE	<unknown>	HIDDEN	14
__init_array_start	.symtab	0x80ccb38	0	NOTYPE	<unknown>	HIDDEN	14
__init_misc	.symtab	0x8067d00	78	FUNC	<unknown>	DEFAULT	3
__init_sched_fifo_prio	.symtab	0x8051e20	42	FUNC	<unknown>	DEFAULT	3
__initstate	.symtab	0x80541e0	112	FUNC	<unknown>	DEFAULT	3
__initstate_r	.symtab	0x80545f0	545	FUNC	<unknown>	DEFAULT	3
__ioctl	.symtab	0x8066190	33	FUNC	<unknown>	DEFAULT	3
__is_smp	.symtab	0x80d1b44	4	OBJECT	<unknown>	DEFAULT	22
__isatty	.symtab	0x8088920	34	FUNC	<unknown>	DEFAULT	3
__isinf	.symtab	0x8093710	64	FUNC	<unknown>	DEFAULT	3
__isinfl	.symtab	0x8093780	85	FUNC	<unknown>	DEFAULT	3
__isnan	.symtab	0x8093750	39	FUNC	<unknown>	DEFAULT	3
__isnanl	.symtab	0x80937e0	69	FUNC	<unknown>	DEFAULT	3
__kernel_cpumask_size	.symtab	0x80d09f4	4	OBJECT	<unknown>	DEFAULT	22
__kill	.symtab	0x8053400	31	FUNC	<unknown>	DEFAULT	3
__lchown	.symtab	0x8065e20	57	FUNC	<unknown>	DEFAULT	3
__libc_alloca_cutoff	.symtab	0x80680b0	66	FUNC	<unknown>	DEFAULT	3
__libc_argc	.symtab	0x80d1cc8	4	OBJECT	<unknown>	DEFAULT	22
__libc_argv	.symtab	0x80d1ccc	4	OBJECT	<unknown>	DEFAULT	22
__libc_calloc	.symtab	0x8060e70	842	FUNC	<unknown>	DEFAULT	3
__libc_check_standard_fds	.symtab	0x8052b70	459	FUNC	<unknown>	DEFAULT	3
__libc_cleanup_routine	.symtab	0x8068100	27	FUNC	<unknown>	DEFAULT	3
__libc_close	.symtab	0x8051970	80	FUNC	<unknown>	DEFAULT	3
__libc_connect	.symtab	0x8051ad0	87	FUNC	<unknown>	DEFAULT	3
__libc_csu_fini	.symtab	0x8052fc0	57	FUNC	<unknown>	DEFAULT	3
__libc_csu_init	.symtab	0x8053000	127	FUNC	<unknown>	DEFAULT	3
__libc_disable_asynccancel	.symtab	0x8068120	50	FUNC	<unknown>	DEFAULT	3
__libc_dlclose	.symtab	0x8091800	87	FUNC	<unknown>	DEFAULT	3
__libc_dlopen_mode	.symtab	0x8091940	226	FUNC	<unknown>	DEFAULT	3
__libc_dlsym	.symtab	0x8091860	108	FUNC	<unknown>	DEFAULT	3
__libc_dlsym_private	.symtab	0x80918d0	108	FUNC	<unknown>	DEFAULT	3
__libc_enable_asynccancel	.symtab	0x8068160	98	FUNC	<unknown>	DEFAULT	3
__libc_enable_secure	.symtab	0x80ccb58	4	OBJECT	<unknown>	DEFAULT	18
__libc_enable_secure_decided	.symtab	0x80d1cc4	4	OBJECT	<unknown>	DEFAULT	22
__libc_errno	.symtab	0x14	4	TLS	<unknown>	DEFAULT	14
__libc_fatal	.symtab	0x8057220	42	FUNC	<unknown>	DEFAULT	3
__libc_fcntl	.symtab	0x8051a10	177	FUNC	<unknown>	DEFAULT	3
__libc_fork	.symtab	0x8064770	535	FUNC	<unknown>	DEFAULT	3
__libc_free	.symtab	0x80627b0	410	FUNC	<unknown>	DEFAULT	3
__libc_init_first	.symtab	0x8069c40	133	FUNC	<unknown>	DEFAULT	3
__libc_init_secure	.symtab	0x8069be0	66	FUNC	<unknown>	DEFAULT	3
__libc_longjmp	.symtab	0x80531f0	84	FUNC	<unknown>	DEFAULT	3
__libc_lseek	.symtab	0x8051bf0	33	FUNC	<unknown>	DEFAULT	3
__libc_lseek64	.symtab	0x8067df0	117	FUNC	<unknown>	DEFAULT	3
__libc_mallinfo	.symtab	0x805def0	353	FUNC	<unknown>	DEFAULT	3
__libc_malloc	.symtab	0x80611c0	442	FUNC	<unknown>	DEFAULT	3
__libc_malloc_initialized	.symtab	0x80cd418	4	OBJECT	<unknown>	DEFAULT	21
__libc_mallopt	.symtab	0x805e5e0	356	FUNC	<unknown>	DEFAULT	3
__libc_memalign	.symtab	0x8061380	467	FUNC	<unknown>	DEFAULT	3
__libc_message	.symtab	0x8056f60	691	FUNC	<unknown>	DEFAULT	3
__libc_multiple_libcs	.symtab	0x80cd46c	4	OBJECT	<unknown>	DEFAULT	21
__libc_nanosleep	.symtab	0x8064710	87	FUNC	<unknown>	DEFAULT	3
__libc_open	.symtab	0x8051c20	91	FUNC	<unknown>	DEFAULT	3
__libc_pause	.symtab	0x8051c80	64	FUNC	<unknown>	DEFAULT	3
__libc_pthread_init	.symtab	0x80682d0	45	FUNC	<unknown>	DEFAULT	3
__libc_pvalloc	.symtab	0x8060550	469	FUNC	<unknown>	DEFAULT	3
__libc_read	.symtab	0x8051910	91	FUNC	<unknown>	DEFAULT	3
__libc_realloc	.symtab	0x8062950	1085	FUNC	<unknown>	DEFAULT	3
__libc_recvfrom	.symtab	0x8051b30	87	FUNC	<unknown>	DEFAULT	3
__libc_register_dl_open_hook	.symtab	0x8091a30	125	FUNC	<unknown>	DEFAULT	3
__libc_register_dlfcn_hook	.symtab	0x809b9a0	37	FUNC	<unknown>	DEFAULT	3
__libc_resp	.symtab	0x0	4	TLS	<unknown>	DEFAULT	13
__libc_select	.symtab	0x8066210	115	FUNC	<unknown>	DEFAULT	3
__libc_send	.symtab	0x8067ee0	87	FUNC	<unknown>	DEFAULT	3
__libc_sendto	.symtab	0x8051b90	87	FUNC	<unknown>	DEFAULT	3
__libc_setlocale_lock	.symtab	0x80d1260	32	OBJECT	<unknown>	DEFAULT	22
__libc_setup_tls	.symtab	0x8052da0	505	FUNC	<unknown>	DEFAULT	3
__libc_sigaction	.symtab	0x80525d0	298	FUNC	<unknown>	DEFAULT	3
__libc_siglongjmp	.symtab	0x80531f0	84	FUNC	<unknown>	DEFAULT	3
__libc_stack_end	.symtab	0x80ccb54	4	OBJECT	<unknown>	DEFAULT	18
__libc_start_main	.symtab	0x8052850	763	FUNC	<unknown>	DEFAULT	3
__libc_system	.symtab	0x8055200	104	FUNC	<unknown>	DEFAULT	3
__libc_thread_freeres	.symtab	0x80b0410	33	FUNC	<unknown>	DEFAULT	5
__libc_tsd_CTYPE_B	.symtab	0x18	4	TLS	<unknown>	DEFAULT	14
__libc_tsd_CTYPE_TOLOWER	.symtab	0x20	4	TLS	<unknown>	DEFAULT	14
__libc_tsd_CTYPE_TOUPPER	.symtab	0x1c	4	TLS	<unknown>	DEFAULT	14
__libc_tsd_LOCALE	.symtab	0x8	4	TLS	<unknown>	DEFAULT	13
__libc_tsd_MALLOC	.symtab	0x24	4	TLS	<unknown>	DEFAULT	14
__libc_valloc	.symtab	0x8060730	467	FUNC	<unknown>	DEFAULT	3
__libc_waitpid	.symtab	0x8051cc0	91	FUNC	<unknown>	DEFAULT	3
__libc_write	.symtab	0x80518b0	91	FUNC	<unknown>	DEFAULT	3
__libc_writev	.symtab	0x8088bc0	270	FUNC	<unknown>	DEFAULT	3
__libio_codecvt	.symtab	0x80c0880	120	OBJECT	<unknown>	DEFAULT	7
__libio_translit	.symtab	0x80c08f8	20	OBJECT	<unknown>	DEFAULT	7
__lll_lock_wait	.symtab	0x80515d0	48	FUNC	<unknown>	HIDDEN	3
__lll_lock_wait_private	.symtab	0x80515a0	42	FUNC	<unknown>	HIDDEN	3
__lll_robust_lock_wait	.symtab	0x8051780	81	FUNC	<unknown>	HIDDEN	3
__lll_robust_timedlock_wait	.symtab	0x80517e0	201	FUNC	<unknown>	HIDDEN	3
__lll_timedlock_wait	.symtab	0x8051600	173	FUNC	<unknown>	HIDDEN	3
__lll_timedwait_tid	.symtab	0x8051710	112	FUNC	<unknown>	HIDDEN	3
__lll_unlock_wake	.symtab	0x80516e0	43	FUNC	<unknown>	HIDDEN	3
__lll_unlock_wake_private	.symtab	0x80516b0	37	FUNC	<unknown>	HIDDEN	3
__llseek	.symtab	0x8067df0	117	FUNC	<unknown>	DEFAULT	3
__localtime_r	.symtab	0x8084040	34	FUNC	<unknown>	DEFAULT	3
__longjmp	.symtab	0x8053250	43	FUNC	<unknown>	DEFAULT	3
__lseek	.symtab	0x8051bf0	33	FUNC	<unknown>	DEFAULT	3
__lseek64	.symtab	0x8067df0	117	FUNC	<unknown>	DEFAULT	3
__make_stacks_executable	.symtab	0x804f180	257	FUNC	<unknown>	DEFAULT	3
__mallinfo	.symtab	0x805def0	353	FUNC	<unknown>	DEFAULT	3
__malloc	.symtab	0x80611c0	442	FUNC	<unknown>	DEFAULT	3
__malloc_check_init	.symtab	0x805d490	121	FUNC	<unknown>	DEFAULT	3
__malloc_get_state	.symtab	0x8061610	428	FUNC	<unknown>	DEFAULT	3
__malloc_hook	.symtab	0x80cd40c	4	OBJECT	<unknown>	DEFAULT	21
__malloc_initialize_hook	.symtab	0x80d0500	4	OBJECT	<unknown>	DEFAULT	22
__malloc_set_state	.symtab	0x805e250	905	FUNC	<unknown>	DEFAULT	3
__malloc_stats	.symtab	0x805dcd0	529	FUNC	<unknown>	DEFAULT	3
__malloc_trim	.symtab	0x805e060	493	FUNC	<unknown>	DEFAULT	3
__malloc_usable_size	.symtab	0x805c4a0	52	FUNC	<unknown>	DEFAULT	3
__mallopt	.symtab	0x805e5e0	356	FUNC	<unknown>	DEFAULT	3
__mbrlen	.symtab	0x8083740	55	FUNC	<unknown>	DEFAULT	3
__mbrtowc	.symtab	0x8083780	407	FUNC	<unknown>	DEFAULT	3
__mbsnrtowcs	.symtab	0x8083d20	594	FUNC	<unknown>	DEFAULT	3
__memalign	.symtab	0x8061380	467	FUNC	<unknown>	DEFAULT	3
__memalign_hook	.symtab	0x80cd414	4	OBJECT	<unknown>	DEFAULT	21
__memchr	.symtab	0x80832a0	411	FUNC	<unknown>	DEFAULT	3
__mempcpy	.symtab	0x8063d10	68	FUNC	<unknown>	DEFAULT	3
__mkdir	.symtab	0x8065e00	31	FUNC	<unknown>	DEFAULT	3
__mktime_internal	.symtab	0x809c6f0	2437	FUNC	<unknown>	DEFAULT	3
__mmap	.symtab	0x8066e40	67	FUNC	<unknown>	DEFAULT	3
__mmap64	.symtab	0x8066e90	88	FUNC	<unknown>	DEFAULT	3
__mon_yday	.symtab	0x80c4d40	52	OBJECT	<unknown>	DEFAULT	7
__morecore	.symtab	0x80cd408	4	OBJECT	<unknown>	DEFAULT	21
__mpn_add_n	.symtab	0x80a8120	144	FUNC	<unknown>	DEFAULT	3
__mpn_addmul_1	.symtab	0x80a81b0	60	FUNC	<unknown>	DEFAULT	3
__mpn_cmp	.symtab	0x8093da0	92	FUNC	<unknown>	DEFAULT	3
__mpn_construct_double	.symtab	0x80a8230	86	FUNC	<unknown>	DEFAULT	3
__mpn_construct_float	.symtab	0x80a81f0	49	FUNC	<unknown>	DEFAULT	3
__mpn_construct_long_double	.symtab	0x80a8290	71	FUNC	<unknown>	DEFAULT	3
__mpn_divrem	.symtab	0x8093e00	1112	FUNC	<unknown>	DEFAULT	3
__mpn_extract_double	.symtab	0x8095af0	244	FUNC	<unknown>	DEFAULT	3
__mpn_extract_long_double	.symtab	0x8095bf0	279	FUNC	<unknown>	DEFAULT	3
__mpn_impn_mul_n	.symtab	0x80948b0	1989	FUNC	<unknown>	DEFAULT	3
__mpn_impn_mul_n_basecase	.symtab	0x80947b0	247	FUNC	<unknown>	DEFAULT	3
__mpn_impn_sqr_n	.symtab	0x8095080	1829	FUNC	<unknown>	DEFAULT	3
__mpn_impn_sqr_n_basecase	.symtab	0x80946b0	250	FUNC	<unknown>	DEFAULT	3
__mpn_lshift	.symtab	0x8094260	87	FUNC	<unknown>	DEFAULT	3
__mpn_mul	.symtab	0x8094320	843	FUNC	<unknown>	DEFAULT	3
__mpn_mul_1	.symtab	0x8094670	57	FUNC	<unknown>	DEFAULT	3
__mpn_mul_n	.symtab	0x80957b0	620	FUNC	<unknown>	DEFAULT	3
__mpn_rshift	.symtab	0x80942c0	87	FUNC	<unknown>	DEFAULT	3
__mpn_sub_n	.symtab	0x8095a20	144	FUNC	<unknown>	DEFAULT	3
__mpn_submul_1	.symtab	0x8095ab0	60	FUNC	<unknown>	DEFAULT	3
__mprotect	.symtab	0x8066f10	33	FUNC	<unknown>	DEFAULT	3
__mremap	.symtab	0x8067e70	45	FUNC	<unknown>	DEFAULT	3
__munmap	.symtab	0x8066ef0	31	FUNC	<unknown>	DEFAULT	3
__nanosleep	.symtab	0x8064710	87	FUNC	<unknown>	DEFAULT	3
__nanosleep_nocancel	.symtab	0x806471a	31	FUNC	<unknown>	DEFAULT	3
__new_exitfn	.symtab	0x8053e70	274	FUNC	<unknown>	DEFAULT	3
__new_exitfn_called	.symtab	0x80d1c00	8	OBJECT	<unknown>	DEFAULT	22
__new_fclose	.symtab	0x80555c0	439	FUNC	<unknown>	DEFAULT	3
__new_fopen	.symtab	0x80558e0	34	FUNC	<unknown>	DEFAULT	3
__new_getrlimit	.symtab	0x80660d0	54	FUNC	<unknown>	DEFAULT	3
__nptl_create_event	.symtab	0x80525a0	5	FUNC	<unknown>	DEFAULT	3
__nptl_deallocate_tsd	.symtab	0x804e8f0	278	FUNC	<unknown>	DEFAULT	3
__nptl_death_event	.symtab	0x80525b0	5	FUNC	<unknown>	DEFAULT	3
__nptl_initial_report_events	.symtab	0x80cda90	1	OBJECT	<unknown>	DEFAULT	22
__nptl_last_event	.symtab	0x80cda80	4	OBJECT	<unknown>	DEFAULT	22
__nptl_nthreads	.symtab	0x80ccf08	4	OBJECT	<unknown>	DEFAULT	21
__nptl_setxid	.symtab	0x804edd0	941	FUNC	<unknown>	DEFAULT	3
__nptl_threads_events	.symtab	0x80cda78	8	OBJECT	<unknown>	DEFAULT	22
__offtime	.symtab	0x809c400	746	FUNC	<unknown>	DEFAULT	3
__open	.symtab	0x8051c20	91	FUNC	<unknown>	DEFAULT	3
__open_nocancel	.symtab	0x8051c2a	33	FUNC	<unknown>	DEFAULT	3
__overflow	.symtab	0x805aca0	41	FUNC	<unknown>	DEFAULT	3
__parse_one_specmb	.symtab	0x8080520	1320	FUNC	<unknown>	DEFAULT	3
__pause_nocancel	.symtab	0x8051c8a	19	FUNC	<unknown>	DEFAULT	3
__posix_memalign	.symtab	0x8061560	111	FUNC	<unknown>	DEFAULT	3
__preinit_array_end	.symtab	0x80ccb38	0	NOTYPE	<unknown>	HIDDEN	14
__preinit_array_start	.symtab	0x80ccb38	0	NOTYPE	<unknown>	HIDDEN	14
__printf_arginfo_table	.symtab	0x80d1da0	4	OBJECT	<unknown>	DEFAULT	23
__printf_fp	.symtab	0x807c6c0	9363	FUNC	<unknown>	DEFAULT	3
__printf_fphex	.symtab	0x807ebf0	6104	FUNC	<unknown>	DEFAULT	3
__printf_function_table	.symtab	0x80d1d38	4	OBJECT	<unknown>	DEFAULT	22
__profil	.symtab	0x80a87d0	392	FUNC	<unknown>	DEFAULT	3

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/18/22-07:46:53.988918	TCP	2020381	ET TROJAN DDoS.XOR Checkin	45048	2897	192.168.2.23	96.43.105.68

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 18, 2022 07:46:53.316745996 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:46:53.601155996 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:46:53.601365089 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:46:53.652281046 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:46:53.988779068 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:46:53.988918066 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:46:54.274559021 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:46:54.274681091 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:46:54.576040983 CET	42836	443	192.168.2.23	91.189.91.43
Jan 18, 2022 07:46:55.343966007 CET	42516	80	192.168.2.23	109.202.202.202
Jan 18, 2022 07:47:04.557137966 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:47:04.557481050 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:47:09.936152935 CET	43928	443	192.168.2.23	91.189.91.42
Jan 18, 2022 07:47:14.845346928 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:47:14.845550060 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:47:20.176249981 CET	42836	443	192.168.2.23	91.189.91.43
Jan 18, 2022 07:47:25.130991936 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:47:25.131371021 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:47:26.320272923 CET	42516	80	192.168.2.23	109.202.202.202
Jan 18, 2022 07:47:35.420325994 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:47:35.420653105 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:47:45.705293894 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:47:45.705586910 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:47:50.901077032 CET	43928	443	192.168.2.23	91.189.91.42
Jan 18, 2022 07:47:55.995656013 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:47:55.995908022 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:48:06.277590036 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:48:06.277998924 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:48:11.376343966 CET	42836	443	192.168.2.23	91.189.91.43
Jan 18, 2022 07:48:16.571983099 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:48:16.572427034 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:48:26.864193916 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:48:26.864531994 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:48:37.156311035 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:48:37.156542063 CET	45048	2897	192.168.2.23	96.43.105.68
Jan 18, 2022 07:48:47.433350086 CET	2897	45048	96.43.105.68	192.168.2.23
Jan 18, 2022 07:48:47.433764935 CET	45048	2897	192.168.2.23	96.43.105.68

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 18, 2022 07:46:53.190156937 CET	53923	53	192.168.2.23	114.114.114.114
Jan 18, 2022 07:46:53.312122107 CET	53	53923	114.114.114.114	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 18, 2022 07:46:53.190156937 CET	192.168.2.23	114.114.114.114	0x8fb3	Standard query (0)	aa369369.f3322.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 18, 2022 07:46:53.312122107 CET	114.114.114.114	192.168.2.23	0x8fb3	No error (0)	aa369369.f3322.org		96.43.105.68	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: test PID: 5222 Parent PID: 5116

General

Start time:	07:46:50
Start date:	18/01/2022
Path:	/tmp/test
Arguments:	/tmp/test
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: test PID: 5223 Parent PID: 5222

General

Start time:	07:46:50
Start date:	18/01/2022
Path:	/tmp/test
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: test PID: 5224 Parent PID: 5223

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/tmp/test
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: test PID: 5225 Parent PID: 5224

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/tmp/test
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5225 Parent PID: 5224

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	/boot/lqzpnnvgqq
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5226 Parent PID: 5225

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5227 Parent PID: 5226

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5228 Parent PID: 5227

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5229 Parent PID: 5226

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5230 Parent PID: 5229

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: update-rc.d PID: 5230 Parent PID: 1860

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/sbin/update-rc.d
Arguments:	update-rc.d lqzpnnvgqq defaults
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: update-rc.d PID: 5235 Parent PID: 5230

General

Start time:	07:46:52
Start date:	18/01/2022
Path:	/sbin/update-rc.d
Arguments:	n/a
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Chronological Activities

Analysis Process: systemctl PID: 5235 Parent PID: 5230

General

Start time:	07:46:52
Start date:	18/01/2022
Path:	/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5231 Parent PID: 5226

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: sh PID: 5231 Parent PID: 5226

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/bin/sh
Arguments:	sh -c "sed -i '/\\/etc\\/cron.hourly\\/cron.sh/d' /etc/crontab && echo '/3 * * * root /etc/cron.hourly/cron.sh' >> /etc/crontab"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5232 Parent PID: 5231

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sed PID: 5232 Parent PID: 5231

General

Start time:	07:46:51
Start date:	18/01/2022
Path:	/bin/sed
Arguments:	sed -i /\\/etc\\/cron.hourly\\/cron.sh/d /etc/crontab
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5252 Parent PID: 5226

General

Start time:	07:46:53
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5253 Parent PID: 5252

General

Start time:	07:46:53
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: cmltpcveev PID: 5253 Parent PID: 5252

General

Start time:	07:46:53
Start date:	18/01/2022
Path:	/boot/cmltpcveev
Arguments:	/boot/cmltpcveev pwd 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: cmltpcveev PID: 5254 Parent PID: 5253

General

Start time:	07:46:53
Start date:	18/01/2022
Path:	/boot/cmltpcveev
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5259 Parent PID: 5226

General

Start time:	07:46:59
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5260 Parent PID: 5259

General

Start time:	07:46:59
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: ydvgqptufg PID: 5260 Parent PID: 5259

General

Start time:	07:46:59
Start date:	18/01/2022
Path:	/boot/ydvgqptufg
Arguments:	/boot/ydvgqptufg "ls -la" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: ydvgqptufg PID: 5261 Parent PID: 5260

General

Start time:	07:46:59
Start date:	18/01/2022
Path:	/boot/ydvgqptufg
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5264 Parent PID: 5226

General

Start time:	07:47:04
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5265 Parent PID: 5264

General

Start time:	07:47:04
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: qmdgzglfzw PID: 5265 Parent PID: 5264

General

Start time:	07:47:04
Start date:	18/01/2022
Path:	/boot/qmdgzglfzw
Arguments:	/boot/qmdgzglfzw "cat resolv.conf" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: qmdgzglfzw PID: 5266 Parent PID: 5265

General

Start time:	07:47:04
Start date:	18/01/2022
Path:	/boot/qmdgzglfzw
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5270 Parent PID: 5226

General

Start time:	07:47:10
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5271 Parent PID: 5270

General

Start time:	07:47:10
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: fqimirdumn PID: 5271 Parent PID: 5270

General

Start time:	07:47:10
Start date:	18/01/2022
Path:	/boot/fqimirdumn
Arguments:	/boot/fqimirdumn top 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: fqimirdumn PID: 5272 Parent PID: 5271

General

Start time:	07:47:10
Start date:	18/01/2022
Path:	/boot/fqimirdumn
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5275 Parent PID: 5226

General

Start time:	07:47:15
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5276 Parent PID: 5275

General

Start time:	07:47:15
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: mpetjlbbrw PID: 5276 Parent PID: 5275

General

Start time:	07:47:15
Start date:	18/01/2022
Path:	/boot/mpetjlbbrw
Arguments:	/boot/mpetjlbbrw su 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: mpetjlbbrw PID: 5277 Parent PID: 5276

General

Start time:	07:47:15
Start date:	18/01/2022
Path:	/boot/mpetjlbbrw
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5280 Parent PID: 5226

General

Start time:	07:47:21
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5281 Parent PID: 5280

General

Start time:	07:47:21
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: ikjjfxjdrw PID: 5281 Parent PID: 5280

General

Start time:	07:47:21
Start date:	18/01/2022
Path:	/boot/ikjjfxjdrw
Arguments:	/boot/ikjjfxjdrw "cd /etc" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: ikjjfxjdrw PID: 5282 Parent PID: 5281

General

Start time:	07:47:21
Start date:	18/01/2022
Path:	/boot/ikjjfxjdrw
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5285 Parent PID: 5226

General

Start time:	07:47:26
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5286 Parent PID: 5285

General

Start time:	07:47:26
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: laeuklbisl PID: 5286 Parent PID: 5285

General

Start time:	07:47:26
Start date:	18/01/2022
Path:	/boot/laeuklbisl
Arguments:	/boot/laeuklbisl who 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: laeuklbisl PID: 5287 Parent PID: 5286

General

Start time:	07:47:26
Start date:	18/01/2022
Path:	/boot/laeuklbisl
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5290 Parent PID: 5226

General

Start time:	07:47:32
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5291 Parent PID: 5290

General

Start time:	07:47:32
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: reasemoxfd PID: 5291 Parent PID: 5290

General

Start time:	07:47:32
Start date:	18/01/2022
Path:	/boot/reasemoxfd
Arguments:	/boot/reasemoxfd top 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: reasemoxfd PID: 5292 Parent PID: 5291

General

Start time:	07:47:32
Start date:	18/01/2022
Path:	/boot/reasemoxfd
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5296 Parent PID: 5226

General

Start time:	07:47:37
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5297 Parent PID: 5296

General

Start time:	07:47:37
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: dembkqdnnd PID: 5297 Parent PID: 5296

General

Start time:	07:47:37
Start date:	18/01/2022
Path:	/boot/dembkqdnnd
Arguments:	/boot/dembkqdnnd "ps -ef" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: dembkqdnnd PID: 5298 Parent PID: 5297

General

Start time:	07:47:37
Start date:	18/01/2022
Path:	/boot/dembkqdnnd
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5305 Parent PID: 5226

General

Start time:	07:47:43
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5306 Parent PID: 5305

General

Start time:	07:47:43
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: xlkatqzakt PID: 5306 Parent PID: 5305

General

Start time:	07:47:43
Start date:	18/01/2022
Path:	/boot/xlkatqzakt
Arguments:	/boot/xlkatqzakt who 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: xlkatqzakt PID: 5307 Parent PID: 5306

General

Start time:	07:47:43
Start date:	18/01/2022
Path:	/boot/xlkatqzakt
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5310 Parent PID: 5226

General

Start time:	07:47:48
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5311 Parent PID: 5310

General

Start time:	07:47:48
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: uwjxivocaf PID: 5311 Parent PID: 5310

General

Start time:	07:47:48
Start date:	18/01/2022
Path:	/boot/uwjxivocaf
Arguments:	/boot/uwjxivocaf "grep \"A\"" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: uwjxivocaf PID: 5312 Parent PID: 5311

General

Start time:	07:47:48
Start date:	18/01/2022
Path:	/boot/uwjxivocaf
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5315 Parent PID: 5226

General

Start time:	07:47:54
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5316 Parent PID: 5315

General

Start time:	07:47:54
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: hrdgxiqezw PID: 5316 Parent PID: 5315

General

Start time:	07:47:54
Start date:	18/01/2022
Path:	/boot/hrdgxiqezw
Arguments:	/boot/hrdgxiqezw ls 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: hrdgxiqezw PID: 5317 Parent PID: 5316

General

Start time:	07:47:54
Start date:	18/01/2022
Path:	/boot/hrdgxiqezw
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5320 Parent PID: 5226

General

Start time:	07:47:59
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5321 Parent PID: 5320

General

Start time:	07:47:59
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: bsnzgwmdyz PID: 5321 Parent PID: 5320

General

Start time:	07:47:59
Start date:	18/01/2022
Path:	/boot/bsnzgwmdyz
Arguments:	/boot/bsnzgwmdyz "route -n" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: bsnzgwmdyz PID: 5322 Parent PID: 5321

General

Start time:	07:47:59
Start date:	18/01/2022
Path:	/boot/bsnzgwmdyz
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5325 Parent PID: 5226

General

Start time:	07:48:04
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5326 Parent PID: 5325

General

Start time:	07:48:04
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: pgpndyvjry PID: 5326 Parent PID: 5325

General

Start time:	07:48:04
Start date:	18/01/2022
Path:	/boot/pgpndyvjry
Arguments:	/boot/pgpndyvjry ifconfig 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: pgpndyvjry PID: 5327 Parent PID: 5326

General

Start time:	07:48:04
Start date:	18/01/2022
Path:	/boot/pgpndyvjry
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5331 Parent PID: 5226

General

Start time:	07:48:09
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5332 Parent PID: 5331

General

Start time:	07:48:09
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lvhmzhponu PID: 5332 Parent PID: 5331

General

Start time:	07:48:09
Start date:	18/01/2022
Path:	/boot/lvhmzhponu
Arguments:	/boot/lvhmzhponu id 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lvhmzhponu PID: 5333 Parent PID: 5332

General

Start time:	07:48:09
Start date:	18/01/2022
Path:	/boot/lvhmzhponu
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5336 Parent PID: 5226

General

Start time:	07:48:14
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5337 Parent PID: 5336

General

Start time:	07:48:14
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: rlgxokxghy PID: 5337 Parent PID: 5336

General

Start time:	07:48:14
Start date:	18/01/2022
Path:	/boot/rlgxokxghy
Arguments:	/boot/rlgxokxghy "ps -ef" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: rlgxokxghy PID: 5338 Parent PID: 5337

General

Start time:	07:48:14
Start date:	18/01/2022
Path:	/boot/rlgxokxghy
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5341 Parent PID: 5226

General

Start time:	07:48:19
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5342 Parent PID: 5341

General

Start time:	07:48:19
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: tsaycfvlxl PID: 5342 Parent PID: 5341

General

Start time:	07:48:19
Start date:	18/01/2022
Path:	/boot/tsaycfvlxl
Arguments:	/boot/tsaycfvlxl "cd /etc" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: tsaycfvlxl PID: 5343 Parent PID: 5342

General

Start time:	07:48:19
Start date:	18/01/2022
Path:	/boot/tsaycfvlxl
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5347 Parent PID: 5226

General

Start time:	07:48:24
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5348 Parent PID: 5347

General

Start time:	07:48:24
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: crjtcddcvs PID: 5348 Parent PID: 5347

General

Start time:	07:48:24
Start date:	18/01/2022
Path:	/boot/crjtcddcvs
Arguments:	/boot/crjtcddcvs bash 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: crjtcddcvs PID: 5349 Parent PID: 5348

General

Start time:	07:48:24
Start date:	18/01/2022
Path:	/boot/crjtcddcvs
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5352 Parent PID: 5226

General

Start time:	07:48:29
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5353 Parent PID: 5352

General

Start time:	07:48:29
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: vypsjwtnwx PID: 5353 Parent PID: 5352

General

Start time:	07:48:29
Start date:	18/01/2022
Path:	/boot/vypsjwtnwx
Arguments:	/boot/vypsjwtnwx ls 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: vypsjwtnwx PID: 5354 Parent PID: 5353

General

Start time:	07:48:29
Start date:	18/01/2022
Path:	/boot/vypsjwtnwx
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5357 Parent PID: 5226

General

Start time:	07:48:35
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5358 Parent PID: 5357

General

Start time:	07:48:35
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: wkgsskqrhz PID: 5358 Parent PID: 5357

General

Start time:	07:48:35
Start date:	18/01/2022
Path:	/boot/wkgsskqrhz
Arguments:	/boot/wkgsskqrhz "route -n" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: wkgsskqrhz PID: 5359 Parent PID: 5358

General

Start time:	07:48:35
Start date:	18/01/2022
Path:	/boot/wkgsskqrhz
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5365 Parent PID: 5226

General

Start time:	07:48:40
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5366 Parent PID: 5365

General

Start time:	07:48:40
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: breklnwkhg PID: 5366 Parent PID: 5365

General

Start time:	07:48:40
Start date:	18/01/2022
Path:	/boot/breklnwkhg
Arguments:	/boot/breklnwkhg "sleep 1" 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: breklnwkhg PID: 5367 Parent PID: 5366

General

Start time:	07:48:40
Start date:	18/01/2022
Path:	/boot/breklnwkhg
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5370 Parent PID: 5226

General

Start time:	07:48:45
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5371 Parent PID: 5370

General

Start time:	07:48:45
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: wsgrxxhjuz PID: 5371 Parent PID: 5370

General

Start time:	07:48:45
Start date:	18/01/2022
Path:	/boot/wsgrxxhjuz
Arguments:	/boot/wsgrxxhjuz ls 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: wsgrxxhjuz PID: 5372 Parent PID: 5371

General

Start time:	07:48:45
Start date:	18/01/2022
Path:	/boot/wsgrxxhjuz
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5375 Parent PID: 5226

General

Start time:	07:48:50
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: lqzpnnvgqq PID: 5376 Parent PID: 5375

General

Start time:	07:48:50
Start date:	18/01/2022
Path:	/boot/lqzpnnvgqq
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: myeasimsce PID: 5376 Parent PID: 5375

General

Start time:	07:48:50
Start date:	18/01/2022
Path:	/boot/myeasimsce
Arguments:	/boot/myeasimsce top 5226
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: myeasimsce PID: 5377 Parent PID: 5376

General

Start time:	07:48:50
Start date:	18/01/2022
Path:	/boot/myeasimsce
Arguments:	n/a
File size:	662840 bytes
MD5 hash:	d20e3e491d242d649c3fcf4879f2cbf2

Chronological Activities

Analysis Process: systemd PID: 5237 Parent PID: 5236

General

Start time:	07:46:52
Start date:	18/01/2022
Path:	/usr/lib/systemd/systemd
Arguments:	n/a
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5237 Parent PID: 5236

General

Start time:	07:46:52
Start date:	18/01/2022
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. The at command within Linux operating systems enables administrators to schedule tasks.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Linux Analysis Report test

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Process Tree

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Jbx Signature Overview

AV Detection:

Bitcoin Miner:

Networking:

DDoS:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Remote Access Functionality:

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Runtime Messages

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Symbols

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: test PID: 5222 Parent PID: 5116

General

Analysis Process: test PID: 5223 Parent PID: 5222

General

Analysis Process: test PID: 5224 Parent PID: 5223

General

Analysis Process: test PID: 5225 Parent PID: 5224

General

Analysis Process: lqzpnnvgqq PID: 5225 Parent PID: 5224

General

Analysis Process: lqzpnnvgqq PID: 5226 Parent PID: 5225

General

Analysis Process: lqzpnnvgqq PID: 5227 Parent PID: 5226