Edit tour

Linux Analysis Report
demon.mpsl.elf

Overview

General Information

Sample name:demon.mpsl.elf
Analysis ID:1635829
MD5:c9c8e3a940d9293a5bcf4241b243cd35
SHA1:4b707703bdb1350a462539666a2596f463240d1c
SHA256:99089a8788583ce41d984cbac7d2c5cc75bb73ba201868e40a5b12fa6eb1c2c0
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Detected TCP or UDP traffic on non-standard ports
Executes the "rm" command used to delete files or directories
Sample has stripped symbol table
Sample listens on a socket
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1635829
Start date and time:2025-03-12 02:32:21 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:demon.mpsl.elf
Detection:MAL
Classification:mal56.linELF@0/0@2/0
Command:/tmp/demon.mpsl.elf
PID:5535
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Dark infection successful!!
Standard Error:
  • system is lnxubuntu20
  • dash New Fork (PID: 5505, Parent: 3670)
  • rm (PID: 5505, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.btncmw4EzM /tmp/tmp.qahWcWiHdN /tmp/tmp.5ULY12lFRC
  • dash New Fork (PID: 5506, Parent: 3670)
  • cat (PID: 5506, Parent: 3670, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.btncmw4EzM
  • dash New Fork (PID: 5507, Parent: 3670)
  • head (PID: 5507, Parent: 3670, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5508, Parent: 3670)
  • tr (PID: 5508, Parent: 3670, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5509, Parent: 3670)
  • cut (PID: 5509, Parent: 3670, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5510, Parent: 3670)
  • cat (PID: 5510, Parent: 3670, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.btncmw4EzM
  • dash New Fork (PID: 5511, Parent: 3670)
  • head (PID: 5511, Parent: 3670, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10
  • dash New Fork (PID: 5512, Parent: 3670)
  • tr (PID: 5512, Parent: 3670, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037
  • dash New Fork (PID: 5513, Parent: 3670)
  • cut (PID: 5513, Parent: 3670, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80
  • dash New Fork (PID: 5514, Parent: 3670)
  • rm (PID: 5514, Parent: 3670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.btncmw4EzM /tmp/tmp.qahWcWiHdN /tmp/tmp.5ULY12lFRC
  • demon.mpsl.elf (PID: 5535, Parent: 5436, MD5: 0d6f61f82cf2f781c6eb0661071d42d9) Arguments: /tmp/demon.mpsl.elf
  • cleanup
No yara matches
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-12T02:33:02.407926+010028366151Malware Command and Control Activity Detected192.168.2.1550094196.251.81.24610019TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: demon.mpsl.elfReversingLabs: Detection: 52%

Networking

barindex
Source: Network trafficSuricata IDS: 2836615 - Severity 1 - ETPRO MALWARE ELF/Miori Variant CnC Activity : 192.168.2.15:50094 -> 196.251.81.246:10019
Source: global trafficTCP traffic: 192.168.2.15:50094 -> 196.251.81.246:10019
Source: /tmp/demon.mpsl.elf (PID: 5535)Socket: 127.0.0.1:12121Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: unknownTCP traffic detected without corresponding DNS query: 196.251.81.246
Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal56.linELF@0/0@2/0
Source: /usr/bin/dash (PID: 5505)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.btncmw4EzM /tmp/tmp.qahWcWiHdN /tmp/tmp.5ULY12lFRCJump to behavior
Source: /usr/bin/dash (PID: 5514)Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.btncmw4EzM /tmp/tmp.qahWcWiHdN /tmp/tmp.5ULY12lFRCJump to behavior
Source: /tmp/demon.mpsl.elf (PID: 5535)Queries kernel information via 'uname': Jump to behavior
Source: demon.mpsl.elf, 5535.1.00007ffc1e949000.00007ffc1e96a000.rw-.sdmpBinary or memory string: #x86_64/usr/bin/qemu-mipsel/tmp/demon.mpsl.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/demon.mpsl.elf
Source: demon.mpsl.elf, 5535.1.0000558554c5c000.0000558554ce3000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/mipsel
Source: demon.mpsl.elf, 5535.1.0000558554c5c000.0000558554ce3000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/mipsel
Source: demon.mpsl.elf, 5535.1.00007ffc1e949000.00007ffc1e96a000.rw-.sdmpBinary or memory string: /usr/bin/qemu-mipsel
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
File Deletion
OS Credential Dumping11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1635829 Sample: demon.mpsl.elf Startdate: 12/03/2025 Architecture: LINUX Score: 56 17 196.251.81.246, 10019, 50094 SONIC-WirelessZA Seychelles 2->17 19 daisy.ubuntu.com 2->19 21 Suricata IDS alerts for network traffic 2->21 23 Multi AV Scanner detection for submitted file 2->23 7 dash rm demon.mpsl.elf 2->7         started        9 dash rm 2->9         started        11 dash cut 2->11         started        13 7 other processes 2->13 signatures3 process4 process5 15 demon.mpsl.elf 7->15         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
demon.mpsl.elf53%ReversingLabsLinux.Backdoor.Gafgyt
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
daisy.ubuntu.com
162.213.35.25
truefalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    196.251.81.246
    unknownSeychelles
    37417SONIC-WirelessZAtrue
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    196.251.81.246demon.x86.elfGet hashmaliciousUnknownBrowse
      demon.x86.elfGet hashmaliciousUnknownBrowse
        demon.mips.elfGet hashmaliciousUnknownBrowse
          demon.arm.elfGet hashmaliciousUnknownBrowse
            demon.mpsl.elfGet hashmaliciousUnknownBrowse
              demon.arm.elfGet hashmaliciousUnknownBrowse
                demon.mpsl.elfGet hashmaliciousUnknownBrowse
                  demon.mips.elfGet hashmaliciousUnknownBrowse
                    demon.x86.elfGet hashmaliciousUnknownBrowse
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      daisy.ubuntu.comdemon.arm6.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      demon.arm.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      demon.mpsl.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      morte.arm6.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      arm6.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.24
                      arm5-20250311-2220.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      mpsl.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      arm7.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.25
                      sh4.elfGet hashmaliciousUnknownBrowse
                      • 162.213.35.25
                      mips.elfGet hashmaliciousMiraiBrowse
                      • 162.213.35.24
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      SONIC-WirelessZAdemon.x86.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.x86.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.mips.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.arm.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.mpsl.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.arm.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.mpsl.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.mips.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      demon.x86.elfGet hashmaliciousUnknownBrowse
                      • 196.251.81.246
                      Global e-Banking Payment Advice 000000164.exeGet hashmaliciousAgentTeslaBrowse
                      • 196.251.83.222
                      No context
                      No context
                      No created / dropped files found
                      File type:ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
                      Entropy (8bit):5.03206499718142
                      TrID:
                      • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                      File name:demon.mpsl.elf
                      File size:30'520 bytes
                      MD5:c9c8e3a940d9293a5bcf4241b243cd35
                      SHA1:4b707703bdb1350a462539666a2596f463240d1c
                      SHA256:99089a8788583ce41d984cbac7d2c5cc75bb73ba201868e40a5b12fa6eb1c2c0
                      SHA512:c36b0ff19f2f08067ab344e1c211c7e6b335ea51763b07110ede1a336d9891001981d1caba37690226dd57ff0fab89ae04a8d23346f9ce00c62c57b8ed07d3de
                      SSDEEP:384:jUQvZShQK1pgE1fS0j0axMfeLedFeBrSYj9k7MBi7yRXis6hKZmjA:jUtp980jbMfeLedFeBrNWhiXiBhK8U
                      TLSH:0BD25309EF614E6BDCAFDD7745EC079531CD600B21A83B2E7574D828F61A90B4AE3C68
                      File Content Preview:.ELF....................`.@.4...0u......4. ...(...............@...@..h...h...............p...pD..pD.....P...........Q.td...............................<...'!......'.......................<h..'!.............9'.. ........................<8..'!...........@b9

                      ELF header

                      Class:ELF32
                      Data:2's complement, little endian
                      Version:1 (current)
                      Machine:MIPS R3000
                      Version Number:0x1
                      Type:EXEC (Executable file)
                      OS/ABI:UNIX - System V
                      ABI Version:0
                      Entry Point Address:0x400260
                      Flags:0x1007
                      ELF Header Size:52
                      Program Header Offset:52
                      Program Header Size:32
                      Number of Program Headers:3
                      Section Header Offset:30000
                      Section Header Size:40
                      Number of Section Headers:13
                      Header String Table Index:12
                      NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                      NULL0x00x00x00x00x0000
                      .initPROGBITS0x4000940x940x8c0x00x6AX004
                      .textPROGBITS0x4001200x1200x61900x00x6AX0016
                      .finiPROGBITS0x4062b00x62b00x5c0x00x6AX004
                      .rodataPROGBITS0x4063100x63100x5900x00x2A0016
                      .ctorsPROGBITS0x4470000x70000x80x00x3WA004
                      .dtorsPROGBITS0x4470080x70080x80x00x3WA004
                      .dataPROGBITS0x4470200x70200x2100x00x3WA0016
                      .gotPROGBITS0x4472300x72300x2a80x40x10000003WAp0016
                      .sbssNOBITS0x4474d80x74d80xc0x00x10000003WAp004
                      .bssNOBITS0x4474f00x74d80xd5600x00x3WA0016
                      .mdebug.abi32PROGBITS0x5e80x74d80x00x00x0001
                      .shstrtabSTRTAB0x00x74d80x570x00x0001
                      TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                      LOAD0x00x4000000x4000000x68a00x68a05.30380x5R E0x10000.init .text .fini .rodata
                      LOAD0x70000x4470000x4470000x4d80xda503.70470x6RW 0x10000.ctors .dtors .data .got .sbss .bss
                      GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                      Download Network PCAP: filteredfull

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-03-12T02:33:02.407926+01002836615ETPRO MALWARE ELF/Miori Variant CnC Activity1192.168.2.1550094196.251.81.24610019TCP
                      • Total Packets: 6
                      • 10019 undefined
                      • 53 (DNS)
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 12, 2025 02:33:02.401137114 CET5009410019192.168.2.15196.251.81.246
                      Mar 12, 2025 02:33:02.405929089 CET1001950094196.251.81.246192.168.2.15
                      Mar 12, 2025 02:33:02.405987024 CET5009410019192.168.2.15196.251.81.246
                      Mar 12, 2025 02:33:02.407926083 CET5009410019192.168.2.15196.251.81.246
                      Mar 12, 2025 02:33:02.412555933 CET1001950094196.251.81.246192.168.2.15
                      Mar 12, 2025 02:33:02.412605047 CET5009410019192.168.2.15196.251.81.246
                      Mar 12, 2025 02:33:02.417309999 CET1001950094196.251.81.246192.168.2.15
                      TimestampSource PortDest PortSource IPDest IP
                      Mar 12, 2025 02:35:48.797889948 CET3909553192.168.2.158.8.8.8
                      Mar 12, 2025 02:35:48.797954082 CET5292453192.168.2.158.8.8.8
                      Mar 12, 2025 02:35:48.804043055 CET53390958.8.8.8192.168.2.15
                      Mar 12, 2025 02:35:48.804368019 CET53529248.8.8.8192.168.2.15
                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Mar 12, 2025 02:35:48.797889948 CET192.168.2.158.8.8.80x3e53Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                      Mar 12, 2025 02:35:48.797954082 CET192.168.2.158.8.8.80xc36bStandard query (0)daisy.ubuntu.com28IN (0x0001)false
                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Mar 12, 2025 02:35:48.804043055 CET8.8.8.8192.168.2.150x3e53No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                      Mar 12, 2025 02:35:48.804043055 CET8.8.8.8192.168.2.150x3e53No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                      System Behavior

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/rm
                      Arguments:rm -f /tmp/tmp.btncmw4EzM /tmp/tmp.qahWcWiHdN /tmp/tmp.5ULY12lFRC
                      File size:72056 bytes
                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/cat
                      Arguments:cat /tmp/tmp.btncmw4EzM
                      File size:43416 bytes
                      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/head
                      Arguments:head -n 10
                      File size:47480 bytes
                      MD5 hash:fd96a67145172477dd57131396fc9608

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/tr
                      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                      File size:51544 bytes
                      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/cut
                      Arguments:cut -c -80
                      File size:47480 bytes
                      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/cat
                      Arguments:cat /tmp/tmp.btncmw4EzM
                      File size:43416 bytes
                      MD5 hash:7e9d213e404ad3bb82e4ebb2e1f2c1b3

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/head
                      Arguments:head -n 10
                      File size:47480 bytes
                      MD5 hash:fd96a67145172477dd57131396fc9608

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/tr
                      Arguments:tr -d \\000-\\011\\013\\014\\016-\\037
                      File size:51544 bytes
                      MD5 hash:fbd1402dd9f72d8ebfff00ce7c3a7bb5

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/cut
                      Arguments:cut -c -80
                      File size:47480 bytes
                      MD5 hash:d8ed0ea8f22c0de0f8692d4d9f1759d3

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/dash
                      Arguments:-
                      File size:129816 bytes
                      MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                      Start time (UTC):01:32:58
                      Start date (UTC):12/03/2025
                      Path:/usr/bin/rm
                      Arguments:rm -f /tmp/tmp.btncmw4EzM /tmp/tmp.qahWcWiHdN /tmp/tmp.5ULY12lFRC
                      File size:72056 bytes
                      MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                      Start time (UTC):01:33:01
                      Start date (UTC):12/03/2025
                      Path:/tmp/demon.mpsl.elf
                      Arguments:/tmp/demon.mpsl.elf
                      File size:5773336 bytes
                      MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9

                      Start time (UTC):01:33:01
                      Start date (UTC):12/03/2025
                      Path:/tmp/demon.mpsl.elf
                      Arguments:-
                      File size:5773336 bytes
                      MD5 hash:0d6f61f82cf2f781c6eb0661071d42d9