MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Mirai


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23
SHA3-384 hash: 80ff06aaad159db1bea2b724ad337b5127af8fee1467609e472d54d82fd66b87a0341b04465a80c5a56966263110ceb6
SHA1 hash: 9e96c694f3b4ec8a1bc02614370b9f329603f902
MD5 hash: 2f66ab9cfe204978a4dad9ba588532ac
humanhash: one-magnesium-grey-mobile
File name:lol.sh
Download: download sample
Signature Mirai
Create hunting rule
File size:3'874 bytes
First seen:2025-11-11 09:56:45 UTC
Last seen:2025-11-11 12:29:35 UTC
File type: sh
MIME type:text/x-shellscript
ssdeep 48:i/U9/Vv/6V/tH/XVR/7AY/r6rB/A1/rHL/c/J/VE+/5H/mN/2d/Nr7/ohoYGsM:iiZgJtRfwejL6G+dcsp7Eq
TLSH T1D781D0CD20525F7328AE6F22E26F544773439866D68FDE09F5DCA8A5804DE1DA380BCD
TrID 70.0% (.SH) Linux/UNIX shell script (7000/1)
30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika shell
Reporter abuse_ch
Tags:mirai sh
URLMalware sample (SHA256 hash)SignatureTags
http://load.windy.wtf/windyluvexecutor/executor.x86430bfbf00d9b72d52909ecf11aa679f00c35885688d8740cdeb10b6bae8a466c Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.mips2f012432d079c2c6b0fe05f21eade8aa1ceee91d1ecaa01bb5cf5145e993c857 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.arcc7e54227b56f607217fc3ea1bfdd6aae211caeff9bfc62b16968ed4d3d25b25b Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.i468n/an/aelf ua-wget
http://load.windy.wtf/windyluvexecutor/executor.i686dabc08ad14b88ac7e210f608256e7dd345b80c07819b145428394ce105201347 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.x86_64ebff9762f6a70510dc6c7e04023b9094e231ac4aa9ba382130928cc5b09414e2 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.mpslde3bce9f1f5718021bbf4622a3714326b3dde255beaff59d31f56050544f4168 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.armed93fb3ceb8e3a5dec1e2bb1ab111b9b5ca8d86423ca8e42d6fe52bbb8d108a7 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.arm56ae758197ef3137fb4934608e5a700776e072a14e343bef6a1fd12e36c801c88 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.arm60757c866d5c7562c3f53d5afac838ea9b4e1621824f1c6195128091619d48082 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.arm77e79b7cf010bf03145bdfb619ad049e00fd60e8bbe7b84408bfa3f12147bc7e5 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.ppcdff6bde6f4557b08a933a594df89f54cc792f849c8b8484b83b2eb6f000e151a Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.spced18b58920110d347404ee4367ba6e198ea83c37bdac26d989ec2429e443ce18 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.m68k3c925e85673e981deec051f39ffead5b787115dd89feb891fc27167c9263bd80 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.sh4dce04ef4dd7d2fbeb200859b0142de5f52cc44fb6d975d21d16db0b948105b16 Miraielf mirai ua-wget
http://load.windy.wtf/windyluvexecutor/executor.arm6469121b5f21dc54a12a7dd44388db6e56844735564bc327572c04f4c76333cfb4 Miraielf mirai ua-wget

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.30790.LX.BOT.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-29.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Linux.Downloader-6.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
busybox evasive medusa mirai obfuscated
Link:
https://www.filescan.io/uploads/69130876935d9f0d73ccda1f/reports/f33d50f5-4edf-4765-aeba-d6ee487c3a45/overview
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-11-11T08:04:00Z UTC
Last seen:
2025-11-11T09:41:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23/results?tab=lookup
Status:
terminated
Link:
https://sandbox.kunai.rocks/analysis/9b1da943-d5f4-488b-90a2-f8fd17aa8a11
Behavior Graph:
Download SVG
%3 guuid=7b6bd701-1900-0000-00a1-720e51140000 pid=5201 /usr/bin/sudo guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204 /tmp/sample.bin guuid=7b6bd701-1900-0000-00a1-720e51140000 pid=5201->guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204 execve guuid=5644e707-1900-0000-00a1-720e55140000 pid=5205 /usr/bin/cp guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=5644e707-1900-0000-00a1-720e55140000 pid=5205 execve guuid=90ea7609-1900-0000-00a1-720e56140000 pid=5206 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=90ea7609-1900-0000-00a1-720e56140000 pid=5206 execve guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5215 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5215 execve guuid=e88f372c-1900-0000-00a1-720e61140000 pid=5217 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=e88f372c-1900-0000-00a1-720e61140000 pid=5217 execve guuid=b53b942c-1900-0000-00a1-720e62140000 pid=5218 /tmp/executor.x86 net guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=b53b942c-1900-0000-00a1-720e62140000 pid=5218 execve guuid=26e68b59-1a00-0000-00a1-720e6f140000 pid=5231 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=26e68b59-1a00-0000-00a1-720e6f140000 pid=5231 execve guuid=6a5a9e5a-1a00-0000-00a1-720e70140000 pid=5232 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=6a5a9e5a-1a00-0000-00a1-720e70140000 pid=5232 execve guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5233 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5233 execve guuid=dfb5c27c-1a00-0000-00a1-720e73140000 pid=5235 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=dfb5c27c-1a00-0000-00a1-720e73140000 pid=5235 execve guuid=604c5e7d-1a00-0000-00a1-720e74140000 pid=5236 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=604c5e7d-1a00-0000-00a1-720e74140000 pid=5236 clone guuid=23d58d7e-1a00-0000-00a1-720e76140000 pid=5238 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=23d58d7e-1a00-0000-00a1-720e76140000 pid=5238 execve guuid=43550e7f-1a00-0000-00a1-720e77140000 pid=5239 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=43550e7f-1a00-0000-00a1-720e77140000 pid=5239 execve guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5240 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5240 execve guuid=08c8659c-1a00-0000-00a1-720e7a140000 pid=5242 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=08c8659c-1a00-0000-00a1-720e7a140000 pid=5242 execve guuid=b019d99c-1a00-0000-00a1-720e7b140000 pid=5243 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=b019d99c-1a00-0000-00a1-720e7b140000 pid=5243 clone guuid=2858c09d-1a00-0000-00a1-720e7d140000 pid=5245 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=2858c09d-1a00-0000-00a1-720e7d140000 pid=5245 execve guuid=14425da0-1a00-0000-00a1-720e7e140000 pid=5246 /usr/bin/wget dns net send-data guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=14425da0-1a00-0000-00a1-720e7e140000 pid=5246 execve guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5247 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5247 execve guuid=378393b4-1a00-0000-00a1-720e81140000 pid=5249 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=378393b4-1a00-0000-00a1-720e81140000 pid=5249 execve guuid=49dfdab4-1a00-0000-00a1-720e82140000 pid=5250 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=49dfdab4-1a00-0000-00a1-720e82140000 pid=5250 clone guuid=9f25fdb4-1a00-0000-00a1-720e83140000 pid=5251 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=9f25fdb4-1a00-0000-00a1-720e83140000 pid=5251 execve guuid=ced075b5-1a00-0000-00a1-720e84140000 pid=5252 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=ced075b5-1a00-0000-00a1-720e84140000 pid=5252 execve guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5254 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5254 execve guuid=39b61fe1-1a00-0000-00a1-720e8d140000 pid=5261 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=39b61fe1-1a00-0000-00a1-720e8d140000 pid=5261 execve guuid=66c9b1e1-1a00-0000-00a1-720e8e140000 pid=5262 /tmp/executor.i686 net guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=66c9b1e1-1a00-0000-00a1-720e8e140000 pid=5262 execve guuid=5b2fce0f-1c00-0000-00a1-720eae140000 pid=5294 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=5b2fce0f-1c00-0000-00a1-720eae140000 pid=5294 execve guuid=47a45e10-1c00-0000-00a1-720eaf140000 pid=5295 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=47a45e10-1c00-0000-00a1-720eaf140000 pid=5295 execve guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5296 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5296 execve guuid=745b9b2c-1c00-0000-00a1-720eb2140000 pid=5298 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=745b9b2c-1c00-0000-00a1-720eb2140000 pid=5298 execve guuid=1ce32a2d-1c00-0000-00a1-720eb3140000 pid=5299 /tmp/executor.x86_64 mprotect-exec net guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=1ce32a2d-1c00-0000-00a1-720eb3140000 pid=5299 execve guuid=15e90259-1d00-0000-00a1-720eb9140000 pid=5305 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=15e90259-1d00-0000-00a1-720eb9140000 pid=5305 execve guuid=3479c05c-1d00-0000-00a1-720eba140000 pid=5306 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=3479c05c-1d00-0000-00a1-720eba140000 pid=5306 execve guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5307 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5307 execve guuid=e9bb0977-1d00-0000-00a1-720ebd140000 pid=5309 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=e9bb0977-1d00-0000-00a1-720ebd140000 pid=5309 execve guuid=55176f77-1d00-0000-00a1-720ebe140000 pid=5310 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=55176f77-1d00-0000-00a1-720ebe140000 pid=5310 clone guuid=e9151578-1d00-0000-00a1-720ec0140000 pid=5312 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=e9151578-1d00-0000-00a1-720ec0140000 pid=5312 execve guuid=72ba5d78-1d00-0000-00a1-720ec1140000 pid=5313 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=72ba5d78-1d00-0000-00a1-720ec1140000 pid=5313 execve guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5314 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5314 execve guuid=162da08e-1d00-0000-00a1-720ec4140000 pid=5316 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=162da08e-1d00-0000-00a1-720ec4140000 pid=5316 execve guuid=fc6d3d8f-1d00-0000-00a1-720ec5140000 pid=5317 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=fc6d3d8f-1d00-0000-00a1-720ec5140000 pid=5317 clone guuid=16a15b90-1d00-0000-00a1-720ec7140000 pid=5319 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=16a15b90-1d00-0000-00a1-720ec7140000 pid=5319 execve guuid=3053e890-1d00-0000-00a1-720ec8140000 pid=5320 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=3053e890-1d00-0000-00a1-720ec8140000 pid=5320 execve guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5321 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5321 execve guuid=1671c8a7-1d00-0000-00a1-720ecb140000 pid=5323 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=1671c8a7-1d00-0000-00a1-720ecb140000 pid=5323 execve guuid=49084ba8-1d00-0000-00a1-720ecc140000 pid=5324 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=49084ba8-1d00-0000-00a1-720ecc140000 pid=5324 clone guuid=e6d57fa9-1d00-0000-00a1-720ece140000 pid=5326 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=e6d57fa9-1d00-0000-00a1-720ece140000 pid=5326 execve guuid=1fea5fae-1d00-0000-00a1-720ecf140000 pid=5327 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=1fea5fae-1d00-0000-00a1-720ecf140000 pid=5327 execve guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5328 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5328 execve guuid=57152cc6-1d00-0000-00a1-720ed2140000 pid=5330 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=57152cc6-1d00-0000-00a1-720ed2140000 pid=5330 execve guuid=d42cb7c6-1d00-0000-00a1-720ed3140000 pid=5331 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=d42cb7c6-1d00-0000-00a1-720ed3140000 pid=5331 clone guuid=125ae3c7-1d00-0000-00a1-720ed5140000 pid=5333 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=125ae3c7-1d00-0000-00a1-720ed5140000 pid=5333 execve guuid=343971c8-1d00-0000-00a1-720ed6140000 pid=5334 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=343971c8-1d00-0000-00a1-720ed6140000 pid=5334 execve guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5335 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5335 execve guuid=dbcd79e2-1d00-0000-00a1-720ed9140000 pid=5337 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=dbcd79e2-1d00-0000-00a1-720ed9140000 pid=5337 execve guuid=26a005e3-1d00-0000-00a1-720eda140000 pid=5338 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=26a005e3-1d00-0000-00a1-720eda140000 pid=5338 clone guuid=ea5254e4-1d00-0000-00a1-720edc140000 pid=5340 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=ea5254e4-1d00-0000-00a1-720edc140000 pid=5340 execve guuid=8293ece4-1d00-0000-00a1-720edd140000 pid=5341 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=8293ece4-1d00-0000-00a1-720edd140000 pid=5341 execve guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5342 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5342 execve guuid=17d25cfc-1d00-0000-00a1-720ee0140000 pid=5344 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=17d25cfc-1d00-0000-00a1-720ee0140000 pid=5344 execve guuid=7de3f8fc-1d00-0000-00a1-720ee1140000 pid=5345 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=7de3f8fc-1d00-0000-00a1-720ee1140000 pid=5345 clone guuid=362f24fe-1d00-0000-00a1-720ee3140000 pid=5347 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=362f24fe-1d00-0000-00a1-720ee3140000 pid=5347 execve guuid=e55ab3fe-1d00-0000-00a1-720ee4140000 pid=5348 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=e55ab3fe-1d00-0000-00a1-720ee4140000 pid=5348 execve guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5349 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5349 execve guuid=82c0431a-1e00-0000-00a1-720ee7140000 pid=5351 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=82c0431a-1e00-0000-00a1-720ee7140000 pid=5351 execve guuid=c419d11a-1e00-0000-00a1-720ee8140000 pid=5352 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=c419d11a-1e00-0000-00a1-720ee8140000 pid=5352 clone guuid=7250fb1b-1e00-0000-00a1-720eea140000 pid=5354 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=7250fb1b-1e00-0000-00a1-720eea140000 pid=5354 execve guuid=c884881c-1e00-0000-00a1-720eeb140000 pid=5355 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=c884881c-1e00-0000-00a1-720eeb140000 pid=5355 execve guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5356 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5356 execve guuid=764a8e38-1e00-0000-00a1-720eee140000 pid=5358 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=764a8e38-1e00-0000-00a1-720eee140000 pid=5358 execve guuid=c3672239-1e00-0000-00a1-720eef140000 pid=5359 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=c3672239-1e00-0000-00a1-720eef140000 pid=5359 clone guuid=54c4483a-1e00-0000-00a1-720ef1140000 pid=5361 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=54c4483a-1e00-0000-00a1-720ef1140000 pid=5361 execve guuid=d72ce03a-1e00-0000-00a1-720ef2140000 pid=5362 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=d72ce03a-1e00-0000-00a1-720ef2140000 pid=5362 execve guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5363 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5363 execve guuid=ec1ee853-1e00-0000-00a1-720ef5140000 pid=5365 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=ec1ee853-1e00-0000-00a1-720ef5140000 pid=5365 execve guuid=105a6e54-1e00-0000-00a1-720ef6140000 pid=5366 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=105a6e54-1e00-0000-00a1-720ef6140000 pid=5366 clone guuid=29f45855-1e00-0000-00a1-720ef8140000 pid=5368 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=29f45855-1e00-0000-00a1-720ef8140000 pid=5368 execve guuid=4bebb555-1e00-0000-00a1-720ef9140000 pid=5369 /usr/bin/wget dns net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=4bebb555-1e00-0000-00a1-720ef9140000 pid=5369 execve guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5370 /usr/bin/curl net send-data write-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5370 execve guuid=2ec21472-1e00-0000-00a1-720efc140000 pid=5372 /usr/bin/chmod guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=2ec21472-1e00-0000-00a1-720efc140000 pid=5372 execve guuid=5e845a72-1e00-0000-00a1-720efd140000 pid=5373 /usr/bin/bash guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=5e845a72-1e00-0000-00a1-720efd140000 pid=5373 clone guuid=f4a8f872-1e00-0000-00a1-720eff140000 pid=5375 /usr/bin/rm delete-file guuid=15c68a03-1900-0000-00a1-720e54140000 pid=5204->guuid=f4a8f872-1e00-0000-00a1-720eff140000 pid=5375 execve 4f6baed0-9587-596c-82b3-fd721afe4cc1 10.0.2.3:53 guuid=90ea7609-1900-0000-00a1-720e56140000 pid=5206->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B 875f1539-2fec-5f37-b38f-84ce8eea7b5b load.windy.wtf:0 guuid=90ea7609-1900-0000-00a1-720e56140000 pid=5206->875f1539-2fec-5f37-b38f-84ce8eea7b5b con defbd09d-ca8d-598f-867f-59434f2c4745 load.windy.wtf:80 guuid=90ea7609-1900-0000-00a1-720e56140000 pid=5206->defbd09d-ca8d-598f-867f-59434f2c4745 send: 158B guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5215->defbd09d-ca8d-598f-867f-59434f2c4745 send: 107B guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5216 /usr/bin/curl dns net send-data guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5215->guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5216 clone guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5216->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=d0897319-1900-0000-00a1-720e5f140000 pid=5216->defbd09d-ca8d-598f-867f-59434f2c4745 con 8b0a01dc-0728-52c1-8024-c4ba7801b8d6 8.8.8.8:53 guuid=b53b942c-1900-0000-00a1-720e62140000 pid=5218->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=48e5382d-1900-0000-00a1-720e63140000 pid=5219 /tmp/executor.x86 guuid=b53b942c-1900-0000-00a1-720e62140000 pid=5218->guuid=48e5382d-1900-0000-00a1-720e63140000 pid=5219 clone guuid=55c26d59-1a00-0000-00a1-720e6d140000 pid=5229 /tmp/executor.x86 guuid=b53b942c-1900-0000-00a1-720e62140000 pid=5218->guuid=55c26d59-1a00-0000-00a1-720e6d140000 pid=5229 clone guuid=2b7d7759-1a00-0000-00a1-720e6e140000 pid=5230 /tmp/executor.x86 net send-data zombie guuid=b53b942c-1900-0000-00a1-720e62140000 pid=5218->guuid=2b7d7759-1a00-0000-00a1-720e6e140000 pid=5230 clone guuid=1415462d-1900-0000-00a1-720e64140000 pid=5220 /tmp/executor.x86 guuid=48e5382d-1900-0000-00a1-720e63140000 pid=5219->guuid=1415462d-1900-0000-00a1-720e64140000 pid=5220 clone guuid=c3594f2d-1900-0000-00a1-720e65140000 pid=5221 /tmp/executor.x86 dns net send-data zombie guuid=48e5382d-1900-0000-00a1-720e63140000 pid=5219->guuid=c3594f2d-1900-0000-00a1-720e65140000 pid=5221 clone guuid=c3594f2d-1900-0000-00a1-720e65140000 pid=5221->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 31B 6f28b6fa-4b33-50b2-a899-336a4c4fc217 bot.windy.wtf:6769 guuid=c3594f2d-1900-0000-00a1-720e65140000 pid=5221->6f28b6fa-4b33-50b2-a899-336a4c4fc217 send: 22B guuid=805989d1-2000-0000-00a1-720e00150000 pid=5376 /tmp/executor.x86 net send-data guuid=c3594f2d-1900-0000-00a1-720e65140000 pid=5221->guuid=805989d1-2000-0000-00a1-720e00150000 pid=5376 clone guuid=a86ad9b6-2600-0000-00a1-720e04150000 pid=5380 /tmp/executor.x86 net send-data guuid=c3594f2d-1900-0000-00a1-720e65140000 pid=5221->guuid=a86ad9b6-2600-0000-00a1-720e04150000 pid=5380 clone guuid=2b7d7759-1a00-0000-00a1-720e6e140000 pid=5230->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 775B 310a0ed0-c544-54ca-bf3f-fca55e459297 65.222.202.53:80 guuid=2b7d7759-1a00-0000-00a1-720e6e140000 pid=5230->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 4B guuid=6a5a9e5a-1a00-0000-00a1-720e70140000 pid=5232->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=6a5a9e5a-1a00-0000-00a1-720e70140000 pid=5232->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=6a5a9e5a-1a00-0000-00a1-720e70140000 pid=5232->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5233->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5234 /usr/bin/curl dns net send-data guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5233->guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5234 clone guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5234->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=e8260d6c-1a00-0000-00a1-720e71140000 pid=5234->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=43550e7f-1a00-0000-00a1-720e77140000 pid=5239->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=43550e7f-1a00-0000-00a1-720e77140000 pid=5239->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=43550e7f-1a00-0000-00a1-720e77140000 pid=5239->defbd09d-ca8d-598f-867f-59434f2c4745 send: 158B guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5240->defbd09d-ca8d-598f-867f-59434f2c4745 send: 107B guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5241 /usr/bin/curl dns net send-data guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5240->guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5241 clone guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5241->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=0c49c98d-1a00-0000-00a1-720e78140000 pid=5241->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=14425da0-1a00-0000-00a1-720e7e140000 pid=5246->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=14425da0-1a00-0000-00a1-720e7e140000 pid=5246->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=14425da0-1a00-0000-00a1-720e7e140000 pid=5246->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5247->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5248 /usr/bin/curl dns net send-data guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5247->guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5248 clone guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5248->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=c8bba7a7-1a00-0000-00a1-720e7f140000 pid=5248->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=ced075b5-1a00-0000-00a1-720e84140000 pid=5252->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=ced075b5-1a00-0000-00a1-720e84140000 pid=5252->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=ced075b5-1a00-0000-00a1-720e84140000 pid=5252->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5254->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5255 /usr/bin/curl dns net send-data guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5254->guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5255 clone guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5255->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=54def7c1-1a00-0000-00a1-720e86140000 pid=5255->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=66c9b1e1-1a00-0000-00a1-720e8e140000 pid=5262->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=ec61f7e2-1a00-0000-00a1-720e8f140000 pid=5263 /tmp/executor.i686 guuid=66c9b1e1-1a00-0000-00a1-720e8e140000 pid=5262->guuid=ec61f7e2-1a00-0000-00a1-720e8f140000 pid=5263 clone guuid=9415a90f-1c00-0000-00a1-720eac140000 pid=5292 /tmp/executor.i686 guuid=66c9b1e1-1a00-0000-00a1-720e8e140000 pid=5262->guuid=9415a90f-1c00-0000-00a1-720eac140000 pid=5292 clone guuid=96a1b20f-1c00-0000-00a1-720ead140000 pid=5293 /tmp/executor.i686 net send-data zombie guuid=66c9b1e1-1a00-0000-00a1-720e8e140000 pid=5262->guuid=96a1b20f-1c00-0000-00a1-720ead140000 pid=5293 clone guuid=4d5a04e3-1a00-0000-00a1-720e90140000 pid=5264 /tmp/executor.i686 guuid=ec61f7e2-1a00-0000-00a1-720e8f140000 pid=5263->guuid=4d5a04e3-1a00-0000-00a1-720e90140000 pid=5264 clone guuid=36b80ee3-1a00-0000-00a1-720e91140000 pid=5265 /tmp/executor.i686 dns net send-data zombie guuid=ec61f7e2-1a00-0000-00a1-720e8f140000 pid=5263->guuid=36b80ee3-1a00-0000-00a1-720e91140000 pid=5265 clone guuid=36b80ee3-1a00-0000-00a1-720e91140000 pid=5265->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 31B guuid=36b80ee3-1a00-0000-00a1-720e91140000 pid=5265->6f28b6fa-4b33-50b2-a899-336a4c4fc217 send: 21B guuid=12f04ad2-2000-0000-00a1-720e02150000 pid=5378 /tmp/executor.i686 net send-data guuid=36b80ee3-1a00-0000-00a1-720e91140000 pid=5265->guuid=12f04ad2-2000-0000-00a1-720e02150000 pid=5378 clone guuid=59c21cb8-2600-0000-00a1-720e06150000 pid=5382 /tmp/executor.i686 net send-data guuid=36b80ee3-1a00-0000-00a1-720e91140000 pid=5265->guuid=59c21cb8-2600-0000-00a1-720e06150000 pid=5382 clone guuid=96a1b20f-1c00-0000-00a1-720ead140000 pid=5293->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 775B guuid=96a1b20f-1c00-0000-00a1-720ead140000 pid=5293->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=47a45e10-1c00-0000-00a1-720eaf140000 pid=5295->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=47a45e10-1c00-0000-00a1-720eaf140000 pid=5295->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=47a45e10-1c00-0000-00a1-720eaf140000 pid=5295->defbd09d-ca8d-598f-867f-59434f2c4745 send: 161B guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5296->defbd09d-ca8d-598f-867f-59434f2c4745 send: 110B guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5297 /usr/bin/curl dns net send-data guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5296->guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5297 clone guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5297->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=c019651c-1c00-0000-00a1-720eb0140000 pid=5297->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=1ce32a2d-1c00-0000-00a1-720eb3140000 pid=5299->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 con guuid=5ad6242e-1c00-0000-00a1-720eb4140000 pid=5300 /tmp/executor.x86_64 guuid=1ce32a2d-1c00-0000-00a1-720eb3140000 pid=5299->guuid=5ad6242e-1c00-0000-00a1-720eb4140000 pid=5300 clone guuid=0553e558-1d00-0000-00a1-720eb7140000 pid=5303 /tmp/executor.x86_64 guuid=1ce32a2d-1c00-0000-00a1-720eb3140000 pid=5299->guuid=0553e558-1d00-0000-00a1-720eb7140000 pid=5303 clone guuid=b489ef58-1d00-0000-00a1-720eb8140000 pid=5304 /tmp/executor.x86_64 net send-data zombie guuid=1ce32a2d-1c00-0000-00a1-720eb3140000 pid=5299->guuid=b489ef58-1d00-0000-00a1-720eb8140000 pid=5304 clone guuid=3713322e-1c00-0000-00a1-720eb5140000 pid=5301 /tmp/executor.x86_64 guuid=5ad6242e-1c00-0000-00a1-720eb4140000 pid=5300->guuid=3713322e-1c00-0000-00a1-720eb5140000 pid=5301 clone guuid=555e3a2e-1c00-0000-00a1-720eb6140000 pid=5302 /tmp/executor.x86_64 net send-data zombie guuid=5ad6242e-1c00-0000-00a1-720eb4140000 pid=5300->guuid=555e3a2e-1c00-0000-00a1-720eb6140000 pid=5302 clone guuid=555e3a2e-1c00-0000-00a1-720eb6140000 pid=5302->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 775B guuid=555e3a2e-1c00-0000-00a1-720eb6140000 pid=5302->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=b489ef58-1d00-0000-00a1-720eb8140000 pid=5304->8b0a01dc-0728-52c1-8024-c4ba7801b8d6 send: 620B guuid=b489ef58-1d00-0000-00a1-720eb8140000 pid=5304->310a0ed0-c544-54ca-bf3f-fca55e459297 send: 2B guuid=3479c05c-1d00-0000-00a1-720eba140000 pid=5306->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=3479c05c-1d00-0000-00a1-720eba140000 pid=5306->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=3479c05c-1d00-0000-00a1-720eba140000 pid=5306->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5307->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5308 /usr/bin/curl dns net send-data guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5307->guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5308 clone guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5308->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=af0a4e69-1d00-0000-00a1-720ebb140000 pid=5308->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=72ba5d78-1d00-0000-00a1-720ec1140000 pid=5313->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=72ba5d78-1d00-0000-00a1-720ec1140000 pid=5313->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=72ba5d78-1d00-0000-00a1-720ec1140000 pid=5313->defbd09d-ca8d-598f-867f-59434f2c4745 send: 158B guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5314->defbd09d-ca8d-598f-867f-59434f2c4745 send: 107B guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5315 /usr/bin/curl dns net send-data guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5314->guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5315 clone guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5315->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=179a0d85-1d00-0000-00a1-720ec2140000 pid=5315->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=3053e890-1d00-0000-00a1-720ec8140000 pid=5320->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=3053e890-1d00-0000-00a1-720ec8140000 pid=5320->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=3053e890-1d00-0000-00a1-720ec8140000 pid=5320->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5321->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5322 /usr/bin/curl dns net send-data guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5321->guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5322 clone guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5322->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=bcf29b9b-1d00-0000-00a1-720ec9140000 pid=5322->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=1fea5fae-1d00-0000-00a1-720ecf140000 pid=5327->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=1fea5fae-1d00-0000-00a1-720ecf140000 pid=5327->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=1fea5fae-1d00-0000-00a1-720ecf140000 pid=5327->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5328->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5329 /usr/bin/curl dns net send-data guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5328->guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5329 clone guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5329->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=6d010bb9-1d00-0000-00a1-720ed0140000 pid=5329->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=343971c8-1d00-0000-00a1-720ed6140000 pid=5334->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=343971c8-1d00-0000-00a1-720ed6140000 pid=5334->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=343971c8-1d00-0000-00a1-720ed6140000 pid=5334->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5335->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5336 /usr/bin/curl dns net send-data guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5335->guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5336 clone guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5336->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=a165f5d5-1d00-0000-00a1-720ed7140000 pid=5336->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=8293ece4-1d00-0000-00a1-720edd140000 pid=5341->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=8293ece4-1d00-0000-00a1-720edd140000 pid=5341->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=8293ece4-1d00-0000-00a1-720edd140000 pid=5341->defbd09d-ca8d-598f-867f-59434f2c4745 send: 158B guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5342->defbd09d-ca8d-598f-867f-59434f2c4745 send: 107B guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5343 /usr/bin/curl dns net send-data guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5342->guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5343 clone guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5343->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=7d2941f0-1d00-0000-00a1-720ede140000 pid=5343->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=e55ab3fe-1d00-0000-00a1-720ee4140000 pid=5348->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=e55ab3fe-1d00-0000-00a1-720ee4140000 pid=5348->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=e55ab3fe-1d00-0000-00a1-720ee4140000 pid=5348->defbd09d-ca8d-598f-867f-59434f2c4745 send: 158B guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5349->defbd09d-ca8d-598f-867f-59434f2c4745 send: 107B guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5350 /usr/bin/curl dns net send-data guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5349->guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5350 clone guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5350->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=ca4d240c-1e00-0000-00a1-720ee5140000 pid=5350->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=c884881c-1e00-0000-00a1-720eeb140000 pid=5355->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=c884881c-1e00-0000-00a1-720eeb140000 pid=5355->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=c884881c-1e00-0000-00a1-720eeb140000 pid=5355->defbd09d-ca8d-598f-867f-59434f2c4745 send: 159B guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5356->defbd09d-ca8d-598f-867f-59434f2c4745 send: 108B guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5357 /usr/bin/curl dns net send-data guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5356->guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5357 clone guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5357->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=9b082b2b-1e00-0000-00a1-720eec140000 pid=5357->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=d72ce03a-1e00-0000-00a1-720ef2140000 pid=5362->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=d72ce03a-1e00-0000-00a1-720ef2140000 pid=5362->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=d72ce03a-1e00-0000-00a1-720ef2140000 pid=5362->defbd09d-ca8d-598f-867f-59434f2c4745 send: 158B guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5363->defbd09d-ca8d-598f-867f-59434f2c4745 send: 107B guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5364 /usr/bin/curl dns net send-data guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5363->guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5364 clone guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5364->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=80409845-1e00-0000-00a1-720ef3140000 pid=5364->defbd09d-ca8d-598f-867f-59434f2c4745 con guuid=4bebb555-1e00-0000-00a1-720ef9140000 pid=5369->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=4bebb555-1e00-0000-00a1-720ef9140000 pid=5369->875f1539-2fec-5f37-b38f-84ce8eea7b5b con guuid=4bebb555-1e00-0000-00a1-720ef9140000 pid=5369->defbd09d-ca8d-598f-867f-59434f2c4745 send: 160B guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5370->defbd09d-ca8d-598f-867f-59434f2c4745 send: 109B guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5371 /usr/bin/curl dns net send-data guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5370->guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5371 clone guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5371->4f6baed0-9587-596c-82b3-fd721afe4cc1 send: 64B guuid=84a8b965-1e00-0000-00a1-720efa140000 pid=5371->defbd09d-ca8d-598f-867f-59434f2c4745 con 1f666030-95cd-508e-a726-bba34e473e8f 216.202.200.164:22 guuid=805989d1-2000-0000-00a1-720e00150000 pid=5376->1f666030-95cd-508e-a726-bba34e473e8f send: 5973426B guuid=a81194d1-2000-0000-00a1-720e01150000 pid=5377 /tmp/executor.x86 guuid=805989d1-2000-0000-00a1-720e00150000 pid=5376->guuid=a81194d1-2000-0000-00a1-720e01150000 pid=5377 clone guuid=12f04ad2-2000-0000-00a1-720e02150000 pid=5378->1f666030-95cd-508e-a726-bba34e473e8f send: 5973426B guuid=a49050d2-2000-0000-00a1-720e03150000 pid=5379 /tmp/executor.i686 guuid=12f04ad2-2000-0000-00a1-720e02150000 pid=5378->guuid=a49050d2-2000-0000-00a1-720e03150000 pid=5379 clone guuid=a86ad9b6-2600-0000-00a1-720e04150000 pid=5380->1f666030-95cd-508e-a726-bba34e473e8f send: 5973426B guuid=e4f1ebb6-2600-0000-00a1-720e05150000 pid=5381 /tmp/executor.x86 guuid=a86ad9b6-2600-0000-00a1-720e04150000 pid=5380->guuid=e4f1ebb6-2600-0000-00a1-720e05150000 pid=5381 clone guuid=59c21cb8-2600-0000-00a1-720e06150000 pid=5382->1f666030-95cd-508e-a726-bba34e473e8f send: 5973426B guuid=8e692bb8-2600-0000-00a1-720e07150000 pid=5383 /tmp/executor.i686 guuid=59c21cb8-2600-0000-00a1-720e06150000 pid=5382->guuid=8e692bb8-2600-0000-00a1-720e07150000 pid=5383 clone
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23/
Threat name:
Linux.Downloader.Medusa
Create hunting rule
Status:
Malicious
First seen:
2025-11-11 09:57:11 UTC
File Type:
Text (Shell)
AV detection:
16 of 23 (69.57%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6abcic3zhu4cjtt5yntxntky7vvpch5jmr5oinocuj4yw3p7qrq._file
Result
Malware family:
mirai
Create hunting rule
Score:
  10/10
Tags:
family:mirai antivm botnet defense_evasion discovery linux upx
Link:
https://tria.ge/reports/251111-lyyhkasqdp/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Writes file to tmp directory
Checks CPU configuration
UPX packed file
Enumerates running processes
Writes file to system bin folder
File and Directory Permissions Modification
Executes dropped EXE
Modifies Watchdog functionality
Mirai
Mirai family
Malware Config
C2 Extraction:
bot.windy.wtf
Malware family:
Mirai
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/af8011205bc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Linux_Shellscript_Downloader
Create hunting rule
Author:albertzsigovits
Description:Generic Approach to Shellscript downloaders

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

sh af8011205bc9e9c12673ee1b3bb66ac7eb5788fd4b23d721ae1513cc5b6ffc23

(this sample)

Mirai

elf f82db41d9774c9135736bdb8ba06f142125526b7298b3d08278d083a41e1c1fa

Mirai

elf 430bfbf00d9b72d52909ecf11aa679f00c35885688d8740cdeb10b6bae8a466c

  
URLhaus
https://urlhaus.abuse.ch/url/3688216/
  
Delivery method
Distributed via web download
  
Dropping
MD5 982637280761cdee73bb71a21ba3ad93
  
Dropping
SHA256 430bfbf00d9b72d52909ecf11aa679f00c35885688d8740cdeb10b6bae8a466c

Comments