Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Linux Analysis Report wQN5w2558L

Overview

General Information

Sample Name:wQN5w2558L
Analysis ID:1504951
MD5:395249d3e6dae1caff6b5b2e1f75bacd
SHA1:29f16c046a344e0d0adfea80d5d7958d6b6b8cfa
SHA256:ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4
Infos:

Most interesting Screenshot:

Detection

REvil
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Found malware configuration
Yara detected REvil Linux Ransomware
Creates a notice file (html or txt) to demand a ransom
Found Tor onion address
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample reads from .bash_history
Tries to kill VMware ESXi VMs
Creates hidden files and/or directories
Enumerates processes within the "proc" file system
Executes the "hostname" command used to retrieve the computers name
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample has stripped symbol table
Sample tries to set the executable flag
Tries to execute "esxcli" command used for VMware ESXi administration
Uses the "uname" system call to query kernel version information (possible evasion)
Writes JavaScript files to disk

Classification

General Information

Joe Sandbox Version:
Analysis ID:1504951
Start date:01.07.2021
Start time:20:56:04
Joe Sandbox Product:Cloud
Overall analysis duration:0h 12m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wQN5w2558L
Cookbook file name:defaultlinuxinteractivecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal76.rans.spre.evad.lin@0/507@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.39, 91.189.92.38, 91.189.92.40, 91.189.92.41, 91.189.92.19, 91.189.92.20
  • Excluded domains from analysis (whitelisted): api.snapcraft.io
  • Report size exceeded maximum capacity and may have missing behavior information.

Process Tree

  • system is lnxubuntu1
  • exo-open (PID: 2755, Parent: 2123, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open --launch TerminalEmulator
    • exo-open New Fork (PID: 2784, Parent: 2755)
      • exo-open New Fork (PID: 2785, Parent: 2784)
      • exo-helper-1 (PID: 2785, Parent: 1889, MD5: c27a648e34ba5ce625d064af015be147) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 --launch TerminalEmulator
        • xfce4-terminal (PID: 2794, Parent: 2785, MD5: cd860c0a24d13e4caacc08ebe89aa930) Arguments: /usr/bin/xfce4-terminal
          • gnome-pty-helper (PID: 2806, Parent: 2794, MD5: 4847c5390dc12d6acfdd19fef054f30a) Arguments: gnome-pty-helper
          • bash (PID: 2807, Parent: 2794, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: bash
            • bash New Fork (PID: 2824, Parent: 2807)
              • bash New Fork (PID: 2825, Parent: 2824)
              • lesspipe (PID: 2825, Parent: 2824, MD5: 80a46999efd72ca140acc1990050d65c) Arguments: /bin/sh /usr/bin/lesspipe
                • lesspipe New Fork (PID: 2829, Parent: 2825)
                • basename (PID: 2829, Parent: 2825, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/bin/lesspipe
                • lesspipe New Fork (PID: 2831, Parent: 2825)
                  • lesspipe New Fork (PID: 2832, Parent: 2831)
                  • dirname (PID: 2832, Parent: 2831, MD5: 109f56157fe89667043fd1cca87b24fa) Arguments: dirname /usr/bin/lesspipe
            • bash New Fork (PID: 2833, Parent: 2807)
              • bash New Fork (PID: 2834, Parent: 2833)
              • dircolors (PID: 2834, Parent: 2833, MD5: 1c7070b855358283a329458ff4fbebab) Arguments: dircolors -b
            • bash New Fork (PID: 2863, Parent: 2807)
              • bash New Fork (PID: 2864, Parent: 2863)
              • ls (PID: 2864, Parent: 2863, MD5: f3b92d795c9ee0725c160680acd084d9) Arguments: ls /etc/bash_completion.d
            • bash New Fork (PID: 2873, Parent: 2807)
            • bash New Fork (PID: 2874, Parent: 2807)
            • bash New Fork (PID: 2875, Parent: 2807)
            • bash New Fork (PID: 2876, Parent: 2807)
            • bash New Fork (PID: 2877, Parent: 2807)
            • mv (PID: 2877, Parent: 2807, MD5: 0cdfdd010d5f4acab64a1d89066c92e9) Arguments: mv Desktop/wQN5w2558L .
            • bash New Fork (PID: 2888, Parent: 2807)
            • wQN5w2558L (PID: 2888, Parent: 2807, MD5: unknown) Arguments: ./wQN5w2558L
              • dash (PID: 2889, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "uname -a && echo \" | \" && hostname"
                • dash New Fork (PID: 2890, Parent: 2889)
                • uname (PID: 2890, Parent: 2889, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -a
                • dash New Fork (PID: 2891, Parent: 2889)
                • hostname (PID: 2891, Parent: 2889, MD5: 79300176c96052498937c20a23cef810) Arguments: hostname
              • dash (PID: 2894, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "uname -a && echo \" | \" && hostname"
                • dash New Fork (PID: 2898, Parent: 2894)
                • uname (PID: 2898, Parent: 2894, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -a
                • dash New Fork (PID: 2942, Parent: 2894)
                • hostname (PID: 2942, Parent: 2894, MD5: 79300176c96052498937c20a23cef810) Arguments: hostname
              • dash (PID: 2951, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "pkill -9 vmx-*"
                • dash New Fork (PID: 2952, Parent: 2951)
                • pkill (PID: 2952, Parent: 2951, MD5: f3b843351a404d4e8d4ce0ed0775fa9c) Arguments: pkill -9 vmx-*
              • dash (PID: 2958, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" $1)}'"
                • dash New Fork (PID: 2963, Parent: 2958)
                • dash New Fork (PID: 2964, Parent: 2958)
                • awk (PID: 2964, Parent: 2958, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"
  • thunar New Fork (PID: 3040, Parent: 3039)
  • mousepad (PID: 3040, Parent: 3039, MD5: aa2bab7862768edb3685f57fdc81d9f2) Arguments: mousepad /home/user/Desktop/rhkrc-readme.txt
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
wQN5w2558LJoeSecurity_REvilLinuxYara detected REvil Linux RansomwareJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    2888.1.0000000000400000.0000000000415000.r-x.sdmpJoeSecurity_REvilLinuxYara detected REvil Linux RansomwareJoe Security

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 2888.1.0000000000615000.000000000061a000.rw-.sdmpMalware Configuration Extractor: REvil {"pk": "r58UPwgbaRk5py762WpY/rEsl1jd936THXwqUwID/iM=", "pid": "$2a$12$V3e/gZmP0hFlQhnJLAyOM.Fsb56ksfw0p42oLlNwf2Jou485ElO4K", "sub": "7987", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClsrXSBXaGF0cyBIYXBwZW4/IFsrXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClsrXSBXaGF0IGd1YXJhbnRlZXM/IFsrXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGlzZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpZb3UgaGF2ZSB0d28gd2F5czoKCjEpIFtSZWNvbW1lbmRlZF0gVXNpbmcgYSBUT1IgYnJvd3NlciEKICBhKSBEb3dubG9hZCBhbmQgaW5zdGFsbCBUT1IgYnJvd3NlciBmcm9tIHRoaXMgc2l0ZTogaHR0cHM6Ly90b3Jwcm9qZWN0Lm9yZy8KICBiKSBPcGVuIG91ciB3ZWJzaXRlOiBodHRwOi8vYXBsZWJ6dTQ3d2dhemFwZHFrczZ2cmN2NnpjbmpwcGtieGJyNndrZXRmNTZuZjZhcTJubXlveWQub25pb24ve1VJRH0KCjIpIElmIFRPUiBibG9ja2VkIGluIHlvdXIgY291bnRyeSwgdHJ5IHRvIHVzZSBWUE4hIEJ1dCB5b3UgY2FuIHVzZSBvdXIgc2Vjb25kYXJ5IHdlYnNpdGUuIEZvciB0aGlzOgogIGEpIE9wZW4geW91ciBhbnkgYnJvd3NlciAoQ2hyb21lLCBGaXJlZm94LCBPcGVyYSwgSUUsIEVkZ2UpCiAgYikgT3BlbiBvdXIgc2Vjb25kYXJ5IHdlYnNpdGU6IGh0dHA6Ly9kZWNvZGVyLnJlL3tVSUR9CgpXYXJuaW5nOiBzZWNvbmRhcnkgd2Vic2l0ZSBjYW4gYmUgYmxvY2tlZCwgdGhhdHMgd2h5IGZpcnN0IHZhcmlhbnQgbXVjaCBiZXR0ZXIgYW5kIG1vcmUgYXZhaWxhYmxlLgoKV2hlbiB5b3Ugb3BlbiBvdXIgd2Vic2l0ZSwgcHV0IHRoZSBmb2xsb3dpbmcgZGF0YSBpbiB0aGUgaW5wdXQgZm9ybToKS2V5OgoKCntLRVl9CgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCiEhISBEQU5HRVIgISEhCkRPTlQgdHJ5IHRvIGNoYW5nZSBmaWxlcyBieSB5b3Vyc2VsZiwgRE9OVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1nZSBvZiB0aGUgcHJpdmF0ZSBrZXkgYW5kLCBhcyByZXN1bHQsIFRoZSBMb3NzIGFsbCBkYXRhLgohISEgISEhICEhIQpPTkUgTU9SRSBUSU1FOiBJdHMgaW4geW91ciBpbnRlcmVzdHMgdG8gZ2V0IHlvdXIgZmlsZXMgYmFjay4gRnJvbSBvdXIgc2lkZSwgd2UgKHRoZSBiZXN0IHNwZWNpYWxpc3RzKSBtYWtlIGV2ZXJ5dGhpbmcgZm9yIHJlc3RvcmluZywgYnV0IHBsZWFzZSBzaG91bGQgbm90IGludGVyZmVyZS4KISEhICEhISAhISEA", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".rhkrc"}
      Source: ./wQN5w2558L (PID: 2888)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

      Networking:

      barindex
      Found Tor onion addressShow sources
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93F57EC393F57EC3
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93F57EC393F57EC3
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: http://decoder.re/93F57EC393F57EC3
      Source: recently-used.xbel.XEOG50.79.drString found in binary or memory: http://freedesktop.org
      Source: recently-used.xbel.XEOG50.79.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
      Source: recently-used.xbel.XEOG50.79.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: https://torproject.org/

      Spam, unwanted Advertisements and Ransom Demands:

      barindex
      Yara detected REvil Linux RansomwareShow sources
      Source: Yara matchFile source: wQN5w2558L, type: SAMPLE
      Source: Yara matchFile source: 2888.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY
      Creates a notice file (html or txt) to demand a ransomShow sources
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/obexd/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/memos/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/memos/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/calendar/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/calendar/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/addressbook/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/addressbook/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/sources/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/sources/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/tasks/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file

      Operating System Destruction:

      barindex
      Tries to kill VMware ESXi VMsShow sources
      Source: ./wQN5w2558L (PID: 2958)ESXcli VM kill: /bin/dash -> sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" $1)}'"Jump to behavior
      Source: /bin/dash (PID: 2964)ESXcli VM kill: /usr/bin/awk -> awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"Jump to behavior
      Source: ./wQN5w2558L (PID: 2958)ESXcli executable: /bin/dash -> sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" $1)}'"Jump to behavior
      Source: /bin/dash (PID: 2964)ESXcli executable: /usr/bin/awk -> awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"Jump to behavior
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal76.rans.spre.evad.lin@0/507@0/0

      Persistence and Installation Behavior:

      barindex
      Modifies the '.bashrc' or '.bash_profile' file typically for persisting actionsShow sources
      Source: ./wQN5w2558L (PID: 2888)File written: /home/user/.bashrcJump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Directory: /home/user/.cacheJump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Directory: /home/user/.localJump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Directory: /home/user/.configJump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Directory: /home/user/.cacheJump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Directory: /home/user/.localJump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Directory: /home/user/.configJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/909/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/909/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2032/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2032/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2152/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2152/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1336/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1336/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2700/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2700/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/234/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/234/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1850/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1850/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/118/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/118/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/912/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/912/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/10/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/10/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2703/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2703/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/11/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/11/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/12/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/12/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/13/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/13/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/14/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/14/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/15/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/15/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/16/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/16/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/17/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/17/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/18/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/18/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/19/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/19/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2043/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2043/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/484/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/484/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/3/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/3/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2952/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2952/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/4/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/4/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/367/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/367/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2951/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2951/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/5/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/5/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1223/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1223/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/6/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/6/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1222/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1222/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/7/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/7/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/128/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/128/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2794/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2794/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/8/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/8/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/129/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/129/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/9/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/9/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/924/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/924/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2718/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2718/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/529/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/529/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/20/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/20/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/21/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/21/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/928/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/928/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/22/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/22/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/23/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/23/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/24/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/24/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/25/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/25/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/26/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/26/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/28/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/28/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/29/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/29/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2053/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2053/cmdlineJump to behavior
      Source: /bin/dash (PID: 2891)Hostname executable: /bin/hostname -> hostnameJump to behavior
      Source: /bin/dash (PID: 2942)Hostname executable: /bin/hostname -> hostnameJump to behavior
      Source: /bin/dash (PID: 2952)Pkill executable: /usr/bin/pkill -> pkill -9 vmx-*Jump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)File: /home/user/.config/ibus/bus (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.xscreensaver (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/motd.legal-displayed (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/update-manager-core/meta-release-lts (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/bf3b770c553c462765856025a94f1ce6-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/cabbd14511b9e8a55e92af97fb3a0461-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/e13b20fdb08344e0e664864cc2ede53d-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/CACHEDIR.TAG (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/a41116dafaf8b233ac2c61cb73f2ea5f-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/d589a48862398ed80a3d6066f4f56f4c-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/158c65c810c0d352a587f5be66058e87-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/e49e89034d371f0f9de17aab02136486-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/4b14b093aebc79c320de5e86ae1d3314-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/sessions/thumbs-ubuntu-analyzer:0/Default.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/gstreamer-1.0/registry.x86_64.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/blueman-applet-1000 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-bluetooth.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-session.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-application.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-datetime.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-power.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-keyboard.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-keyboard.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/xfce4-indicator-plugin.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/xfce4-notifyd-theme.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/directoryLinks.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/OfflineCache/index.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/thumbnails/f1777111f5d0f1c81ffa04de751128fa.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/startupCache.8.little (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/urlCache.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/scriptCache.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/webext.sc.lz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/scriptCache-child.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashallow-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-unwanted-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/base-track-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-phish-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashsubdoc-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flash-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-harmful-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/allow-flashallow-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-malware-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-phish-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-track-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-block-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flash-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozplugin-block-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/base-track-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashsubdoc-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flashsubdoc-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-trackwhite-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flash-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-trackwhite-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-unwanted-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/allow-flashallow-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozstd-trackwhite-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-block-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-malware-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flash-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flashsubdoc-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-track-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-harmful-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozplugin-block-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozstd-trackwhite-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashallow-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/ce_T151c2VyQ29udGV4dElkPTEs (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5A54E53FB3BC53E73B1E6C575995E2485DDF05AE (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/3288ECCBE79F56B14DBE6FEAC3F20AEA108CD0F1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/7B303216787123E2E98A2B9594CDF8211C77C0EA (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/BD75785200C0E1E894D78880C72AC03D1B02A575 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/0AB1BE712BE7745C73A5EFA8DFC4780205FD18D7 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/EFBDF11BE5924869AB758722597BCD4B9EAF851C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/209BF9506FC39F83D5367695CBEA892DE228933A (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E59C4C731883450D84A0BAE7FDD94546BBC8DE04 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/A8DCC7B604F78716CE26EF1511D819991F119B22 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/C03274A1DDB8C8456BCF45E0E89194DCDADF46C0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/8D418B8419BE8FFD07185661A573F8B8521147C5 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/39C1621C6763027D614390D31A517751A4AD91C3 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/A5A82E00158C0784FE9E6B08670D514F8348D245 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/F2CFCA6D14DE5FA96E3127D89121F2E6F004D2CD (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/D8CC044500B261C6794589BED782B70836EAD65C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E325B486B777C14C29762600D998974140F8FD34 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/196BCA845E91608F7B4CA6127A60D20AF55413AC (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/63F48F4F7F1BC3195F5AB831F9794F3DBA2D30E1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/6B459D246F7887BA8513F5801DE752A08094DD8A (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/05582FF5C196A4485F189490FEC9ECEA0890DA32 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E771454BB360CA5F7AA169E5416B493549BC2F59 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/B7DB036074231ACC212F58CA5B8AF0545A418060 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/44852F548E2DA4AF2A968DAF307485F74EF6F3C0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2BC6D22E320C3AD5F122613FBBF24D8F8DDFE8D2 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/44F81E7E214B17FF25AC54556BC33AC0C1A62B26 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/A698B6CF98F43F9B0EE1C1DAF3F2CB9BFF09A47C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/F8AC72083E334F70A553AE68455FBDF0E65C5221 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/F17F04878A68505AE5481A71D8B733C5FFC6F285 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5A9F94FBA58DB2BB86940F164F51C5190533CAC7 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E6D66AFFD836C8C13B306AAB42C9C6E3425363B6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/AAD09DC668B8529769AEBA7A4A9EC20D79EC925A (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E7EAFD1748127CEAA48DCDD05E7998E3CAA95B8C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2B610FAD6EE6174C3C15BA488F7D896FD22FF794 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/65856B83CBC9E01A5FFF9981914F04B0F6436116 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/DC07751AD90150C6B658CD05E99F18A6A725B500 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/3DF10699984A3086A21900FAEC5595CBE3948F33 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/1AA5DF3AA9BAF5D88A5D31A2D2753A33FA1BE5DB (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/567881F4A84A4E54FD9DE83AA17D8ADA4C81402C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/13B6B1BA274AC60E2BBF033AA422B2D3D3B07FD1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/18CE467B00ED7B507CC72681EDCED9F73527CDD9 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/9548F9611999ED8CA357720E12017816424CFB6F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/076B04687E353A48BF9F8F54C7556DD5EE9381D0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E4ED869149E42472064566CF555F4CBDFA43F6CE (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2F8D3E7DF38A8EFF19A37E06DB9A7C5A88B70C11 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/1679441B8AA7B4D31717C773CC4E86A25B37532B (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/DE556ABC4C4DACD7976DC8E9EB9F5C9DC0E7B076 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/3BE2F225068DFB4AA8BD93F696A41C16C8CFA27F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/480A7F2B2D435C5021E4D92358EBDE99275450C8 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2EEBE7D9E8B2C0EC2F1A732F578AEFE4851A2A53 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/499B8F86D3D7ACD12153BFF4E7D9C21E20E57862 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/D6D7AC0B3D4DAC40D7A42CBE0FCCD3EF6B2BB312 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5DDA527DCC532D0D7032913A302155F3451E45B3 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/7051A1E5425B79519AE6F65AD3BB2390F7D1C39B (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/ce_T151c2VyQ29udGV4dElkPTEsYSw= (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/logrotate/status (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.xsession-errors (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.dmrc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.bashrc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.dbus/session-bus/f0b45546524a75b2e6e8e8a55aab94da-0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/203a169dec3216fbb03bc6760e7d0f9a.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/d7de604c8b54b08bf50a3c2c28efd2df.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/2454247923350b5d65d258305ccf59ce.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/6635e1111ee0cd4813b439af8913fa49.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/12095cb0c16f1a0895ab343c7eb4b7c6.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.bash_history (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.profile (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.Xauthority (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/profiles.ini (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/Crash Reports/InstallTime20180313132747 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/pkcs11.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/favicons.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/SecurityPreloadState.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/AlternateServices.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/cert9.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/search.json.mozlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/saved-telemetry-pings/583ee681-7cfa-4d12-8648-eb797a8eec37 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/saved-telemetry-pings/9c07e1b5-a82a-432e-9a4c-18a3a975ad85 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/saved-telemetry-pings/e0d24830-8ed6-4f1a-b4e9-bfe84de4fc39 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/compatibility.ini (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/addonStartup.json.lz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/content-prefs.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/sessionstore.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/key3.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/addons.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/containers.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/state.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/session-state.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/archived/2018-04/1524571606164.583ee681-7cfa-4d12-8648-eb797a8eec37.first-shutdown.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/archived/2018-04/1524571606142.e0d24830-8ed6-4f1a-b4e9-bfe84de4fc39.new-profile.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/archived/2018-04/1524571606162.9c07e1b5-a82a-432e-9a4c-18a3a975ad85.main.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/SiteSecurityServiceState.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/xulstore.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/times.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/key4.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/blocklist.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/cookies.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/cert8.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/prefs.js (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/webappsstore.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/sessionCheckpoints.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/permissions.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/places.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/shield-preference-experiments.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/.parentlock (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/extensions.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/.metadata-v2 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/idb/3561288849sdhlie.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/idb/2918063365piupsah.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/.metadata (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/.metadata-v2 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/idb/3312185054sbndi_pspte.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/idb/3312185054sbndi_pspte.files/1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/.metadata (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/handlers.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/secmod.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.xsession-errors.old (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/recently-used.xbel (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/evolution/calendar/system/calendar.ics (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/evolution/addressbook/system/contacts.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/evolution/tasks/system/tasks.ics (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/applications/mimeapps.list (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/root-d269eba3.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/home-02b035a1.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/home (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/root (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/keyrings/user.keystore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/keyrings/login.keyring (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/session_migration-xubuntu (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.sudo_as_admin_successful (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/Thunar/uca.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/mimeapps.list (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/evolution/sources/system-proxy.source (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/cookie (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-card-database.tdb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-stream-volumes.tdb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-device-volumes.tdb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-default-source (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-default-sink (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/user-dirs.locale (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/dconf/user (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/gedit/accels (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libaccounts-glib/accounts.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/user-dirs.dirs (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/panel/whiskermenu-1.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/desktop/icons.screen0-1008x727.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/desktop/icons.screen0-1008x752.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/desktop/icons.screen0-784x559.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfwm4.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/keyboards.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-keyboard-shortcuts.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/uno_packages/cache/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/uno_packages/cache/log.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/gallery/sg30.thm (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/gallery/sg30.sdv (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/registrymodifications.xcu (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/database/biblio/biblio.dbf (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/database/biblio/biblio.dbt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/database/evolocal.odb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/database/biblio.odb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/basic/dialog.xlc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/basic/Standard/Module1.xba (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/basic/Standard/dialog.xlb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/basic/Standard/script.xlb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/basic/script.xlc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/autotext/mytexts.bau (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/config/autotbl.fmt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/config/javasettings_Linux_X86_64.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/psprint/pspfontcache (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/shared/lastsynchronized (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/shared/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/shared/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/buildid (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/tmp/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/tmp/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/bundled/lastsynchronized (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/bundled/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/extensions/bundled/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./wQN5w2558L (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.bash_logout (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.viminfo (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.ICEauthority (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: /usr/bin/mousepad (PID: 3040)File: /home/user/.config/ibus/bus (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)JavaScript file created: /home/user/.mozilla/firefox/u5o5kk16.default/prefs.jsJump to dropped file
      Source: /bin/dash (PID: 2964)Awk executable: /usr/bin/awk -> awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)Log file created: /home/user/.cache/upstart/startxfce4.logJump to dropped file
      Source: ./wQN5w2558L (PID: 2888)Log file created: /home/user/.cache/xfce4-indicator-plugin.logJump to dropped file
      Source: ./wQN5w2558L (PID: 2888)Log file created: /home/user/.local/share/gvfs-metadata/home-02b035a1.logJump to dropped file
      Source: ./wQN5w2558L (PID: 2888)Log file created: /home/user/.local/share/gvfs-metadata/root-d269eba3.logJump to dropped file
      Source: ./wQN5w2558L (PID: 2888)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
      Source: /usr/bin/exo-open (PID: 2755)Queries kernel information via 'uname': Jump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Queries kernel information via 'uname': Jump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Queries kernel information via 'uname': Jump to behavior
      Source: /bin/bash (PID: 2807)Queries kernel information via 'uname': Jump to behavior
      Source: /bin/uname (PID: 2890)Queries kernel information via 'uname': Jump to behavior
      Source: /bin/hostname (PID: 2891)Queries kernel information via 'uname': Jump to behavior
      Source: /bin/uname (PID: 2898)Queries kernel information via 'uname': Jump to behavior
      Source: /bin/hostname (PID: 2942)Queries kernel information via 'uname': Jump to behavior
      Source: /usr/bin/pkill (PID: 2952)Queries kernel information via 'uname': Jump to behavior
      Source: /usr/bin/mousepad (PID: 3040)Queries kernel information via 'uname': Jump to behavior

      Stealing of Sensitive Information:

      barindex
      Sample reads from .bash_historyShow sources
      Source: ./wQN5w2558L (PID: 2888)File: /home/user/.bash_historyJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter1.bash_profile and .bashrc1.bash_profile and .bashrc1File and Directory Permissions Modification1OS Credential Dumping1Security Software Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumProxy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Hidden Files and Directories1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Malware Configuration

      Threatname: REvil

      {"pk": "r58UPwgbaRk5py762WpY/rEsl1jd936THXwqUwID/iM=", "pid": "$2a$12$V3e/gZmP0hFlQhnJLAyOM.Fsb56ksfw0p42oLlNwf2Jou485ElO4K", "sub": "7987", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClsrXSBXaGF0cyBIYXBwZW4/IFsrXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClsrXSBXaGF0IGd1YXJhbnRlZXM/IFsrXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGlzZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpZb3UgaGF2ZSB0d28gd2F5czoKCjEpIFtSZWNvbW1lbmRlZF0gVXNpbmcgYSBUT1IgYnJvd3NlciEKICBhKSBEb3dubG9hZCBhbmQgaW5zdGFsbCBUT1IgYnJvd3NlciBmcm9tIHRoaXMgc2l0ZTogaHR0cHM6Ly90b3Jwcm9qZWN0Lm9yZy8KICBiKSBPcGVuIG91ciB3ZWJzaXRlOiBodHRwOi8vYXBsZWJ6dTQ3d2dhemFwZHFrczZ2cmN2NnpjbmpwcGtieGJyNndrZXRmNTZuZjZhcTJubXlveWQub25pb24ve1VJRH0KCjIpIElmIFRPUiBibG9ja2VkIGluIHlvdXIgY291bnRyeSwgdHJ5IHRvIHVzZSBWUE4hIEJ1dCB5b3UgY2FuIHVzZSBvdXIgc2Vjb25kYXJ5IHdlYnNpdGUuIEZvciB0aGlzOgogIGEpIE9wZW4geW91ciBhbnkgYnJvd3NlciAoQ2hyb21lLCBGaXJlZm94LCBPcGVyYSwgSUUsIEVkZ2UpCiAgYikgT3BlbiBvdXIgc2Vjb25kYXJ5IHdlYnNpdGU6IGh0dHA6Ly9kZWNvZGVyLnJlL3tVSUR9CgpXYXJuaW5nOiBzZWNvbmRhcnkgd2Vic2l0ZSBjYW4gYmUgYmxvY2tlZCwgdGhhdHMgd2h5IGZpcnN0IHZhcmlhbnQgbXVjaCBiZXR0ZXIgYW5kIG1vcmUgYXZhaWxhYmxlLgoKV2hlbiB5b3Ugb3BlbiBvdXIgd2Vic2l0ZSwgcHV0IHRoZSBmb2xsb3dpbmcgZGF0YSBpbiB0aGUgaW5wdXQgZm9ybToKS2V5OgoKCntLRVl9CgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCiEhISBEQU5HRVIgISEhCkRPTlQgdHJ5IHRvIGNoYW5nZSBmaWxlcyBieSB5b3Vyc2VsZiwgRE9OVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1nZSBvZiB0aGUgcHJpdmF0ZSBrZXkgYW5kLCBhcyByZXN1bHQsIFRoZSBMb3NzIGFsbCBkYXRhLgohISEgISEhICEhIQpPTkUgTU9SRSBUSU1FOiBJdHMgaW4geW91ciBpbnRlcmVzdHMgdG8gZ2V0IHlvdXIgZmlsZXMgYmFjay4gRnJvbSBvdXIgc2lkZSwgd2UgKHRoZSBiZXN0IHNwZWNpYWxpc3RzKSBtYWtlIGV2ZXJ5dGhpbmcgZm9yIHJlc3RvcmluZywgYnV0IHBsZWFzZSBzaG91bGQgbm90IGludGVyZmVyZS4KISEhICEhISAhISEA", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".rhkrc"}

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Number of created Files
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504951 Sample: wQN5w2558L Startdate: 01/07/2021 Architecture: LINUX Score: 76 81 Found malware configuration 2->81 83 Yara detected REvil Linux Ransomware 2->83 85 Found Tor onion address 2->85 87 Creates a notice file (html or txt) to demand a ransom 2->87 13 wrapper-1.0 exo-open 2->13         started        15 thunar mousepad 2->15         started        process3 process4 17 exo-open 13->17         started        process5 19 exo-open exo-helper-1 17->19         started        process6 21 exo-helper-1 xfce4-terminal 19->21         started        process7 23 xfce4-terminal bash 21->23         started        25 xfce4-terminal gnome-pty-helper 21->25         started        process8 27 bash wQN5w2558L 23->27         started        31 bash 23->31         started        33 bash 23->33         started        35 6 other processes 23->35 file9 73 /home/user/.cache/obexd/rhkrc-readme.txt, ASCII 27->73 dropped 75 /home/user/.cache/...sh/rhkrc-readme.txt, ASCII 27->75 dropped 77 /home/user/.cache/...sh/rhkrc-readme.txt, ASCII 27->77 dropped 79 13 other files (9 malicious) 27->79 dropped 93 Sample reads from .bash_history 27->93 95 Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions 27->95 37 wQN5w2558L dash 27->37         started        40 wQN5w2558L dash 27->40         started        42 wQN5w2558L dash 27->42         started        44 wQN5w2558L dash 27->44         started        46 bash lesspipe 31->46         started        48 bash dircolors 33->48         started        50 bash ls 35->50         started        signatures10 process11 signatures12 91 Tries to kill VMware ESXi VMs 37->91 52 dash awk 37->52         started        55 dash 37->55         started        57 dash uname 40->57         started        59 dash hostname 40->59         started        61 dash uname 42->61         started        63 dash hostname 42->63         started        65 dash pkill 44->65         started        67 lesspipe 46->67         started        69 lesspipe basename 46->69         started        process13 signatures14 89 Tries to kill VMware ESXi VMs 52->89 71 lesspipe dirname 67->71         started        process15

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.