download:

/x/tplink

Full analysis: https://app.any.run/tasks/87daad30-ee84-47a7-8de1-c0bb8955662d
Verdict: Malicious activity
Analysis date: June 14, 2025, 10:31:13
OS: Ubuntu 22.04.2
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

D5A9DB2621F8771E593C085BF310D0BF

SHA1:

EB44C6EA2C8294183B90A9C98032FC29652AF5EF

SHA256:

E3EB52ADC5F5FBBC84672DE68DF6A5163A542FA3E3E59E6F0C8E0CDFEFB84CF1

SSDEEP:

24:b20+xacxjDD/MRGD4AJ46im4iWKoxtgshR24iijitHFWRGmnOiHAtR:b20+x1nLD4m4Tm4iWKoA7WMDmPHY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • kr33 (deleted) (PID: 41530)
      • kr33 (deleted) (PID: 41527)
      • kr33 (deleted) (PID: 41526)
      • xle1 (PID: 41525)
      • kr33 (deleted) (PID: 41529)
      • kr33 (deleted) (PID: 41531)

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 41400)
      • gnome-terminal-server (PID: 41459)

    • Starts itself from another location

      • xle1 (PID: 41525)

    • Uses wget to download content

      • dash (PID: 41492)

    • Potential Corporate Privacy Violation

      • wget (PID: 41493)
      • wget (PID: 41498)
      • wget (PID: 41503)
      • wget (PID: 41508)
      • wget (PID: 41513)
      • wget (PID: 41518)
      • wget (PID: 41523)

    • Executes the "rm" command to delete files or directories

      • dash (PID: 41492)

    • Connects to the server without a host name

      • wget (PID: 41498)
      • wget (PID: 41493)
      • wget (PID: 41508)
      • wget (PID: 41503)
      • wget (PID: 41513)
      • wget (PID: 41518)
      • wget (PID: 41523)

    • Connects to FTP

      • kr33 (deleted) (PID: 41588)

    • Connects to unusual port

      • kr33 (deleted) (PID: 41588)

    • Connects to SMTP port

      • kr33 (deleted) (PID: 41588)

  • INFO

    • Checks timezone

      • wget (PID: 41493)
      • python3.10 (PID: 41451)
      • wget (PID: 41498)
      • wget (PID: 41508)
      • wget (PID: 41503)
      • wget (PID: 41513)
      • wget (PID: 41518)
      • wget (PID: 41523)
      • wget (PID: 41532)

    • Creates file in the temporary folder

      • wget (PID: 41493)
      • wget (PID: 41498)
      • wget (PID: 41503)
      • wget (PID: 41508)
      • wget (PID: 41513)
      • wget (PID: 41518)
      • wget (PID: 41523)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
239
Monitored processes
102
Malicious processes
2
Suspicious processes
12

Behavior graph

Click at the process to see the details
dash no specs sudo no specs gnome-text-editor no specs locale-check no specs python3.10 no specs gnome-terminal.real no specs gnome-terminal-server no specs bash no specs dash no specs basename no specs dash no specs dircolors no specs dirname no specs dash no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs dash no specs rm no specs wget chmod no specs xle1 no specs kr33 (deleted) no specs rm no specs wget no specs kr33 (deleted) no specs kr33 (deleted) no specs kr33 (deleted) no specs gnome-session-ctl no specs kr33 (deleted) no specs chmod no specs dash no specs rm no specs chmod no specs gnome-session-ctl no specs dash no specs rm no specs chmod no specs dash no specs rm no specs chmod no specs dash no specs rm no specs chmod no specs dash no specs rm no specs chmod no specs dash no specs rm no specs chmod no specs dash no specs rm no specs chmod no specs dash no specs rm no specs chmod no specs dash no specs rm no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs systemd no specs gsd-print-notifications no specs gnome-session-ctl no specs gnome-session-ctl no specs kr33 (deleted) kr33 (deleted) no specs kr33 (deleted) kr33 (deleted) no specs kr33 (deleted)

Process information

PID
CMD
Path
Indicators
Parent process
41399/bin/sh -c "DISPLAY=:0 sudo -iu user gnome-text-editor /home/user/Desktop/tplink "/usr/bin/dashUbvyYXL4x2mYa65Q
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41400sudo -iu user gnome-text-editor /home/user/Desktop/tplink/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
/usr/lib/x86_64-linux-gnu/libselinux.so.1
/usr/libexec/sudo/libsudo_util.so.0.0.0
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
/usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
/usr/libexec/sudo/sudoers.so
/usr/lib/x86_64-linux-gnu/libpam.so.0.85.1
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
41401gnome-text-editor /home/user/Desktop/tplink/usr/bin/gnome-text-editorsudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libm.so.6
/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libgtk-4.so.1.600.6
/usr/lib/x86_64-linux-gnu/libpango-1.0.so.0.5000.6
/usr/lib/x86_64-linux-gnu/libcairo.so.2.11600.0
/usr/lib/x86_64-linux-gnu/libgtksourceview-5.so.0.0.0
41402/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkgnome-text-editor
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41451/usr/bin/python3 /usr/bin/gnome-terminal/usr/bin/python3.10gnome-shell
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
/usr/lib/x86_64-linux-gnu/libm.so.6
/usr/lib/x86_64-linux-gnu/libexpat.so.1.8.7
/usr/lib/x86_64-linux-gnu/libz.so.1.2.11
/usr/lib/python3/dist-packages/gi/_gi.cpython-310-x86_64-linux-gnu.so
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libgirepository-1.0.so.1.0.0
/usr/lib/x86_64-linux-gnu/libffi.so.8.1.0
/usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3
41454/usr/bin/gnome-terminal.real/usr/bin/gnome-terminal.realpython3.10
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libdconf.so.1.0.0
/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.7200.4
/usr/lib/x86_64-linux-gnu/libgtk-3.so.0.2404.29
/usr/lib/x86_64-linux-gnu/libgdk-3.so.0.2404.29
/usr/lib/x86_64-linux-gnu/libx11.so.6.4.0
/usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
/usr/lib/x86_64-linux-gnu/libvte-2.91.so.0.6800.0
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.30
41459/usr/libexec/gnome-terminal-server/usr/libexec/gnome-terminal-serversystemd
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libffi.so.8.1.0
/usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3
/usr/lib/x86_64-linux-gnu/libm.so.6
/usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0.5000.6
/usr/lib/x86_64-linux-gnu/libxi.so.6.1.0
/usr/lib/x86_64-linux-gnu/libxfixes.so.3.1.0
/usr/lib/x86_64-linux-gnu/libcairo-gobject.so.2.11600.0
/usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.4200.8
/usr/lib/x86_64-linux-gnu/libdconf.so.1.0.0
/usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.7200.4
41477bash/usr/bin/bashgnome-terminal-server
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libtinfo.so.6.3
/usr/lib/x86_64-linux-gnu/libc.so.6
41478/bin/sh /usr/bin/lesspipe/usr/bin/dashbash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
41479basename /usr/bin/lesspipe/usr/bin/basenamedash
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
Modules
Images
/usr/lib/x86_64-linux-gnu/libc.so.6
Executable files
0
Suspicious files
24
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
41401gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/session.gvariantbinary
MD5:
SHA256:
41401gnome-text-editor/home/user/.local/share/org.gnome.TextEditor/recently-used.xbelxml
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/07/a5ca34ded861cac74dd87c9367c0531ebaf63dbinary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/ab/bb62a84ebd8c6f699de6da1f95cf51d1deb40abinary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/d2/ea27fa2c8972e4719271e6ea166eb60cb88796binary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/74/0feed80fcc6c9ed6fbc025c5e0aa962968fa40binary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/ef/9264a26aff24effa3ab2448c5e2b0d43efb799binary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/48/a0ff10489db7ebfc0d92f468cbc86c7b0efa5abinary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/1e/249eaecfafcd47969e43f2f113e00fcb7dc5eebinary
MD5:
SHA256:
41401gnome-text-editor/home/user/.cache/mesa_shader_cache/fb/c959346589f64d5020946890030fd2d2df6d5ebinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
34
DNS requests
12
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
91.189.91.96:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
41493
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/mle1
unknown
malicious
41498
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/mbe1
unknown
malicious
41503
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/aale1
unknown
malicious
41513
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/a7le1
unknown
malicious
41508
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/a5le1
unknown
malicious
41518
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/ppc1
unknown
malicious
41523
wget
GET
200
31.59.40.187:80
http://31.59.40.187/j/xle1
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.98:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
91.189.91.96:80
connectivity-check.ubuntu.com
Canonical Group Limited
US
whitelisted
1178
snap-store
195.181.175.40:443
odrs.gnome.org
Datacamp Limited
DE
whitelisted
512
snapd
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
512
snapd
185.125.188.58:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
41493
wget
31.59.40.187:80
Iran Telecommunication Company PJS
IR
malicious
41498
wget
31.59.40.187:80
Iran Telecommunication Company PJS
IR
malicious
41503
wget
31.59.40.187:80
Iran Telecommunication Company PJS
IR
malicious
41508
wget
31.59.40.187:80
Iran Telecommunication Company PJS
IR
malicious

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::197
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::97
  • 2620:2d:4000:1::23
  • 2620:2d:4002:1::198
  • 2620:2d:4000:1::2b
  • 2001:67c:1562::23
  • 2001:67c:1562::24
  • 91.189.91.96
  • 185.125.190.48
  • 91.189.91.98
  • 185.125.190.49
  • 185.125.190.18
  • 185.125.190.98
  • 91.189.91.97
  • 185.125.190.96
  • 185.125.190.97
  • 185.125.190.17
  • 91.189.91.48
  • 91.189.91.49
whitelisted
google.com
  • 142.250.181.238
  • 2a00:1450:4001:827::200e
whitelisted
odrs.gnome.org
  • 195.181.175.40
  • 212.102.56.178
  • 195.181.170.19
  • 169.150.255.181
  • 37.19.194.81
  • 207.211.211.27
  • 169.150.255.184
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::107
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::101
whitelisted
api.snapcraft.io
  • 185.125.188.57
  • 185.125.188.58
  • 185.125.188.59
  • 185.125.188.54
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::117
whitelisted
6.100.168.192.in-addr.arpa
unknown
3gipcam.com
  • 37.110.84.80
  • 85.130.232.231
  • 184.69.211.6
  • 144.172.111.19
  • 31.204.187.81
  • 91.107.37.171
  • 76.133.167.75
  • 116.48.29.240
  • 220.135.18.160
  • 77.244.72.182
  • 36.230.179.155
  • 61.216.34.70
  • 89.178.72.14
  • 220.135.19.118
  • 51.174.132.193
  • 111.33.50.218
  • 211.75.247.152
  • 59.120.9.225
  • 93.89.114.73
  • 211.72.235.236
  • 46.187.92.11
  • 134.204.29.110
unknown

Threats

PID
Process
Class
Message
41493
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41498
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41503
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41508
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41513
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41518
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
41523
wget
Potential Corporate Privacy Violation
ET INFO Executable and linking format (ELF) file download Over HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/x/tplink