Loading ...

Play interactive tourEdit tour

Linux Analysis Report wQN5w2558L

Overview

General Information

Sample Name:wQN5w2558L
Analysis ID:1504951
MD5:395249d3e6dae1caff6b5b2e1f75bacd
SHA1:29f16c046a344e0d0adfea80d5d7958d6b6b8cfa
SHA256:ea1872b2835128e3cb49a0bc27e4727ca33c4e6eba1e80422db19b505f965bc4
Infos:

Most interesting Screenshot:

Detection

REvil
Score:76
Range:0 - 100
Whitelisted:false

Signatures

Found malware configuration
Yara detected REvil Linux Ransomware
Creates a notice file (html or txt) to demand a ransom
Found Tor onion address
Modifies the '.bashrc' or '.bash_profile' file typically for persisting actions
Sample reads from .bash_history
Tries to kill VMware ESXi VMs
Creates hidden files and/or directories
Enumerates processes within the "proc" file system
Executes the "hostname" command used to retrieve the computers name
Executes the "kill" or "pkill" command typically used to terminate processes
Reads CPU information from /sys indicative of miner or evasive malware
Sample has stripped symbol table
Sample tries to set the executable flag
Tries to execute "esxcli" command used for VMware ESXi administration
Uses the "uname" system call to query kernel version information (possible evasion)
Writes JavaScript files to disk

Classification

General Information

Joe Sandbox Version:
Analysis ID:1504951
Start date:01.07.2021
Start time:20:56:04
Joe Sandbox Product:Cloud
Overall analysis duration:0h 12m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:wQN5w2558L
Cookbook file name:defaultlinuxinteractivecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Analysis Mode:default
Detection:MAL
Classification:mal76.rans.spre.evad.lin@0/507@0/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.39, 91.189.92.38, 91.189.92.40, 91.189.92.41, 91.189.92.19, 91.189.92.20
  • Excluded domains from analysis (whitelisted): api.snapcraft.io
  • Report size exceeded maximum capacity and may have missing behavior information.

Process Tree

  • system is lnxubuntu1
  • exo-open (PID: 2755, Parent: 2123, MD5: 39c5fa78f1cb3d950b9944f784018d3a) Arguments: exo-open --launch TerminalEmulator
    • exo-open New Fork (PID: 2784, Parent: 2755)
      • exo-open New Fork (PID: 2785, Parent: 2784)
      • exo-helper-1 (PID: 2785, Parent: 1889, MD5: c27a648e34ba5ce625d064af015be147) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 --launch TerminalEmulator
        • xfce4-terminal (PID: 2794, Parent: 2785, MD5: cd860c0a24d13e4caacc08ebe89aa930) Arguments: /usr/bin/xfce4-terminal
          • gnome-pty-helper (PID: 2806, Parent: 2794, MD5: 4847c5390dc12d6acfdd19fef054f30a) Arguments: gnome-pty-helper
          • bash (PID: 2807, Parent: 2794, MD5: 5e666695cf08d1638bb85684e30185ee) Arguments: bash
            • bash New Fork (PID: 2824, Parent: 2807)
              • bash New Fork (PID: 2825, Parent: 2824)
              • lesspipe (PID: 2825, Parent: 2824, MD5: 80a46999efd72ca140acc1990050d65c) Arguments: /bin/sh /usr/bin/lesspipe
                • lesspipe New Fork (PID: 2829, Parent: 2825)
                • basename (PID: 2829, Parent: 2825, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/bin/lesspipe
                • lesspipe New Fork (PID: 2831, Parent: 2825)
                  • lesspipe New Fork (PID: 2832, Parent: 2831)
                  • dirname (PID: 2832, Parent: 2831, MD5: 109f56157fe89667043fd1cca87b24fa) Arguments: dirname /usr/bin/lesspipe
            • bash New Fork (PID: 2833, Parent: 2807)
              • bash New Fork (PID: 2834, Parent: 2833)
              • dircolors (PID: 2834, Parent: 2833, MD5: 1c7070b855358283a329458ff4fbebab) Arguments: dircolors -b
            • bash New Fork (PID: 2863, Parent: 2807)
              • bash New Fork (PID: 2864, Parent: 2863)
              • ls (PID: 2864, Parent: 2863, MD5: f3b92d795c9ee0725c160680acd084d9) Arguments: ls /etc/bash_completion.d
            • bash New Fork (PID: 2873, Parent: 2807)
            • bash New Fork (PID: 2874, Parent: 2807)
            • bash New Fork (PID: 2875, Parent: 2807)
            • bash New Fork (PID: 2876, Parent: 2807)
            • bash New Fork (PID: 2877, Parent: 2807)
            • mv (PID: 2877, Parent: 2807, MD5: 0cdfdd010d5f4acab64a1d89066c92e9) Arguments: mv Desktop/wQN5w2558L .
            • bash New Fork (PID: 2888, Parent: 2807)
            • wQN5w2558L (PID: 2888, Parent: 2807, MD5: unknown) Arguments: ./wQN5w2558L
              • dash (PID: 2889, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "uname -a && echo \" | \" && hostname"
                • dash New Fork (PID: 2890, Parent: 2889)
                • uname (PID: 2890, Parent: 2889, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -a
                • dash New Fork (PID: 2891, Parent: 2889)
                • hostname (PID: 2891, Parent: 2889, MD5: 79300176c96052498937c20a23cef810) Arguments: hostname
              • dash (PID: 2894, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "uname -a && echo \" | \" && hostname"
                • dash New Fork (PID: 2898, Parent: 2894)
                • uname (PID: 2898, Parent: 2894, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: uname -a
                • dash New Fork (PID: 2942, Parent: 2894)
                • hostname (PID: 2942, Parent: 2894, MD5: 79300176c96052498937c20a23cef810) Arguments: hostname
              • dash (PID: 2951, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "pkill -9 vmx-*"
                • dash New Fork (PID: 2952, Parent: 2951)
                • pkill (PID: 2952, Parent: 2951, MD5: f3b843351a404d4e8d4ce0ed0775fa9c) Arguments: pkill -9 vmx-*
              • dash (PID: 2958, Parent: 2888, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" $1)}'"
                • dash New Fork (PID: 2963, Parent: 2958)
                • dash New Fork (PID: 2964, Parent: 2958)
                • awk (PID: 2964, Parent: 2958, MD5: 1bb5d753c2edd5bae269563a5ec6d0fe) Arguments: awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"
  • thunar New Fork (PID: 3040, Parent: 3039)
  • mousepad (PID: 3040, Parent: 3039, MD5: aa2bab7862768edb3685f57fdc81d9f2) Arguments: mousepad /home/user/Desktop/rhkrc-readme.txt
  • cleanup

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
wQN5w2558LJoeSecurity_REvilLinuxYara detected REvil Linux RansomwareJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    2888.1.0000000000400000.0000000000415000.r-x.sdmpJoeSecurity_REvilLinuxYara detected REvil Linux RansomwareJoe Security

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 2888.1.0000000000615000.000000000061a000.rw-.sdmpMalware Configuration Extractor: REvil {"pk": "r58UPwgbaRk5py762WpY/rEsl1jd936THXwqUwID/iM=", "pid": "$2a$12$V3e/gZmP0hFlQhnJLAyOM.Fsb56ksfw0p42oLlNwf2Jou485ElO4K", "sub": "7987", "dbg": false, "et": 0, "nbody": "LS0tPT09IFdlbGNvbWUuIEFnYWluLiA9PT0tLS0KClsrXSBXaGF0cyBIYXBwZW4/IFsrXQoKWW91ciBmaWxlcyBhcmUgZW5jcnlwdGVkLCBhbmQgY3VycmVudGx5IHVuYXZhaWxhYmxlLiBZb3UgY2FuIGNoZWNrIGl0OiBhbGwgZmlsZXMgb24geW91ciBzeXN0ZW0gaGFzIGV4dGVuc2lvbiB7RVhUfS4KQnkgdGhlIHdheSwgZXZlcnl0aGluZyBpcyBwb3NzaWJsZSB0byByZWNvdmVyIChyZXN0b3JlKSwgYnV0IHlvdSBuZWVkIHRvIGZvbGxvdyBvdXIgaW5zdHJ1Y3Rpb25zLiBPdGhlcndpc2UsIHlvdSBjYW50IHJldHVybiB5b3VyIGRhdGEgKE5FVkVSKS4KClsrXSBXaGF0IGd1YXJhbnRlZXM/IFsrXQoKSXRzIGp1c3QgYSBidXNpbmVzcy4gV2UgYWJzb2x1dGVseSBkbyBub3QgY2FyZSBhYm91dCB5b3UgYW5kIHlvdXIgZGVhbHMsIGV4Y2VwdCBnZXR0aW5nIGJlbmVmaXRzLiBJZiB3ZSBkbyBub3QgZG8gb3VyIHdvcmsgYW5kIGxpYWJpbGl0aWVzIC0gbm9ib2R5IHdpbGwgbm90IGNvb3BlcmF0ZSB3aXRoIHVzLiBJdHMgbm90IGluIG91ciBpbnRlcmVzdHMuClRvIGNoZWNrIHRoZSBhYmlsaXR5IG9mIHJldHVybmluZyBmaWxlcywgWW91IHNob3VsZCBnbyB0byBvdXIgd2Vic2l0ZS4gVGhlcmUgeW91IGNhbiBkZWNyeXB0IG9uZSBmaWxlIGZvciBmcmVlLiBUaGF0IGlzIG91ciBndWFyYW50ZWUuCklmIHlvdSB3aWxsIG5vdCBjb29wZXJhdGUgd2l0aCBvdXIgc2VydmljZSAtIGZvciB1cywgaXRzIGRvZXMgbm90IG1hdHRlci4gQnV0IHlvdSB3aWxsIGxvc2UgeW91ciB0aW1lIGFuZCBkYXRhLCBjYXVzZSBqdXN0IHdlIGhhdmUgdGhlIHByaXZhdGUga2V5LiBJbiBwcmFjdGlzZSAtIHRpbWUgaXMgbXVjaCBtb3JlIHZhbHVhYmxlIHRoYW4gbW9uZXkuCgpbK10gSG93IHRvIGdldCBhY2Nlc3Mgb24gd2Vic2l0ZT8gWytdCgpZb3UgaGF2ZSB0d28gd2F5czoKCjEpIFtSZWNvbW1lbmRlZF0gVXNpbmcgYSBUT1IgYnJvd3NlciEKICBhKSBEb3dubG9hZCBhbmQgaW5zdGFsbCBUT1IgYnJvd3NlciBmcm9tIHRoaXMgc2l0ZTogaHR0cHM6Ly90b3Jwcm9qZWN0Lm9yZy8KICBiKSBPcGVuIG91ciB3ZWJzaXRlOiBodHRwOi8vYXBsZWJ6dTQ3d2dhemFwZHFrczZ2cmN2NnpjbmpwcGtieGJyNndrZXRmNTZuZjZhcTJubXlveWQub25pb24ve1VJRH0KCjIpIElmIFRPUiBibG9ja2VkIGluIHlvdXIgY291bnRyeSwgdHJ5IHRvIHVzZSBWUE4hIEJ1dCB5b3UgY2FuIHVzZSBvdXIgc2Vjb25kYXJ5IHdlYnNpdGUuIEZvciB0aGlzOgogIGEpIE9wZW4geW91ciBhbnkgYnJvd3NlciAoQ2hyb21lLCBGaXJlZm94LCBPcGVyYSwgSUUsIEVkZ2UpCiAgYikgT3BlbiBvdXIgc2Vjb25kYXJ5IHdlYnNpdGU6IGh0dHA6Ly9kZWNvZGVyLnJlL3tVSUR9CgpXYXJuaW5nOiBzZWNvbmRhcnkgd2Vic2l0ZSBjYW4gYmUgYmxvY2tlZCwgdGhhdHMgd2h5IGZpcnN0IHZhcmlhbnQgbXVjaCBiZXR0ZXIgYW5kIG1vcmUgYXZhaWxhYmxlLgoKV2hlbiB5b3Ugb3BlbiBvdXIgd2Vic2l0ZSwgcHV0IHRoZSBmb2xsb3dpbmcgZGF0YSBpbiB0aGUgaW5wdXQgZm9ybToKS2V5OgoKCntLRVl9CgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KCiEhISBEQU5HRVIgISEhCkRPTlQgdHJ5IHRvIGNoYW5nZSBmaWxlcyBieSB5b3Vyc2VsZiwgRE9OVCB1c2UgYW55IHRoaXJkIHBhcnR5IHNvZnR3YXJlIGZvciByZXN0b3JpbmcgeW91ciBkYXRhIG9yIGFudGl2aXJ1cyBzb2x1dGlvbnMgLSBpdHMgbWF5IGVudGFpbCBkYW1nZSBvZiB0aGUgcHJpdmF0ZSBrZXkgYW5kLCBhcyByZXN1bHQsIFRoZSBMb3NzIGFsbCBkYXRhLgohISEgISEhICEhIQpPTkUgTU9SRSBUSU1FOiBJdHMgaW4geW91ciBpbnRlcmVzdHMgdG8gZ2V0IHlvdXIgZmlsZXMgYmFjay4gRnJvbSBvdXIgc2lkZSwgd2UgKHRoZSBiZXN0IHNwZWNpYWxpc3RzKSBtYWtlIGV2ZXJ5dGhpbmcgZm9yIHJlc3RvcmluZywgYnV0IHBsZWFzZSBzaG91bGQgbm90IGludGVyZmVyZS4KISEhICEhISAhISEA", "nname": "{EXT}-readme.txt", "rdmcnt": 0, "ext": ".rhkrc"}
      Source: ./wQN5w2558L (PID: 2888)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

      Networking:

      barindex
      Found Tor onion addressShow sources
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93F57EC393F57EC3
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93F57EC393F57EC3
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: http://decoder.re/93F57EC393F57EC3
      Source: recently-used.xbel.XEOG50.79.drString found in binary or memory: http://freedesktop.org
      Source: recently-used.xbel.XEOG50.79.drString found in binary or memory: http://www.freedesktop.org/standards/desktop-bookmarks
      Source: recently-used.xbel.XEOG50.79.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
      Source: bash, 2888.1.000000000104f000.00000000010a7000.rw-.sdmpString found in binary or memory: https://torproject.org/

      Spam, unwanted Advertisements and Ransom Demands:

      barindex
      Yara detected REvil Linux RansomwareShow sources
      Source: Yara matchFile source: wQN5w2558L, type: SAMPLE
      Source: Yara matchFile source: 2888.1.0000000000400000.0000000000415000.r-x.sdmp, type: MEMORY
      Creates a notice file (html or txt) to demand a ransomShow sources
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/obexd/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/memos/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/memos/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/calendar/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/calendar/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/addressbook/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/addressbook/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/sources/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/sources/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file
      Source: ./wQN5w2558LFile dropped: /home/user/.cache/evolution/tasks/trash/rhkrc-readme.txt -> decrypt one file for free. that is our guarantee.if you will not cooperate with our service - for us, its does not matter. but you will lose your time and data, cause just we have the private key. in practise - time is much more valuable than money.[+] how to get access on website? [+]you have two ways:1) [recommended] using a tor browser! a) download and install tor browser from this site: https://torproject.org/ b) open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/93f57ec393f57ec32) if tor blocked in your country, try to use vpn! but you can use our secondary website. for this: a) open your any browser (chrome, firefox, opera, ie, edge) b) open our secondary website: http://decoder.re/93f57ec393f57ec3warning: secondary website can be blocked, thats why first variant much better and more available.when you open our website, put the following data in the input form:key:qagg18cdy3uhfybyvpqhhmi/var+n44etyekrcdic0wrlzrqqbqvlr+5/m86p+thzppupcc4nylht23Jump to dropped file

      Operating System Destruction:

      barindex
      Tries to kill VMware ESXi VMsShow sources
      Source: ./wQN5w2558L (PID: 2958)ESXcli VM kill: /bin/dash -> sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" $1)}'"Jump to behavior
      Source: /bin/dash (PID: 2964)ESXcli VM kill: /usr/bin/awk -> awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"Jump to behavior
      Source: ./wQN5w2558L (PID: 2958)ESXcli executable: /bin/dash -> sh -c "esxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\\\"*,\\\"*\" '{system(\"esxcli vm process kill --type=force --world-id=\" $1)}'"Jump to behavior
      Source: /bin/dash (PID: 2964)ESXcli executable: /usr/bin/awk -> awk -F "\"*,\"*" "{system(\"esxcli vm process kill --type=force --world-id=\" $1)}"Jump to behavior
      Source: ELF static info symbol of initial sample.symtab present: no
      Source: classification engineClassification label: mal76.rans.spre.evad.lin@0/507@0/0

      Persistence and Installation Behavior:

      barindex
      Modifies the '.bashrc' or '.bash_profile' file typically for persisting actionsShow sources
      Source: ./wQN5w2558L (PID: 2888)File written: /home/user/.bashrcJump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Directory: /home/user/.cacheJump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Directory: /home/user/.localJump to behavior
      Source: /usr/lib/x86_64-linux-gnu/xfce4/exo-1/exo-helper-1 (PID: 2785)Directory: /home/user/.configJump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Directory: /home/user/.cacheJump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Directory: /home/user/.localJump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)Directory: /home/user/.configJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/909/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/909/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2032/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2032/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2152/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2152/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1336/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1336/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2700/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2700/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/234/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/234/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1850/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1850/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/118/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/118/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/912/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/912/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/10/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/10/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2703/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2703/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/11/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/11/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/12/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/12/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/13/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/13/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/14/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/14/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/15/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/15/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/16/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/16/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/17/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/17/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/18/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/18/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/19/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/19/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2043/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2043/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/484/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/484/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/3/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/3/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2952/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2952/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/4/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/4/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/367/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/367/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2951/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2951/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/5/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/5/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1223/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1223/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/6/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/6/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1222/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/1222/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/7/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/7/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/128/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/128/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2794/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2794/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/8/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/8/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/129/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/129/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/9/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/9/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/924/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/924/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2718/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2718/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/529/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/529/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/20/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/20/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/21/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/21/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/928/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/928/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/22/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/22/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/23/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/23/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/24/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/24/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/25/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/25/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/26/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/26/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/28/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/28/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/29/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/29/cmdlineJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2053/statusJump to behavior
      Source: /usr/bin/pkill (PID: 2952)File opened: /proc/2053/cmdlineJump to behavior
      Source: /bin/dash (PID: 2891)Hostname executable: /bin/hostname -> hostnameJump to behavior
      Source: /bin/dash (PID: 2942)Hostname executable: /bin/hostname -> hostnameJump to behavior
      Source: /bin/dash (PID: 2952)Pkill executable: /usr/bin/pkill -> pkill -9 vmx-*Jump to behavior
      Source: /usr/bin/xfce4-terminal (PID: 2794)File: /home/user/.config/ibus/bus (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.xscreensaver (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/motd.legal-displayed (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/update-manager-core/meta-release-lts (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/bf3b770c553c462765856025a94f1ce6-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/cabbd14511b9e8a55e92af97fb3a0461-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/e13b20fdb08344e0e664864cc2ede53d-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/CACHEDIR.TAG (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/7ef2298fde41cc6eeb7af42e48b7d293-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/a41116dafaf8b233ac2c61cb73f2ea5f-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/d589a48862398ed80a3d6066f4f56f4c-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/158c65c810c0d352a587f5be66058e87-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/e49e89034d371f0f9de17aab02136486-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/fontconfig/4b14b093aebc79c320de5e86ae1d3314-le64.cache-6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/sessions/thumbs-ubuntu-analyzer:0/Default.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/gstreamer-1.0/registry.x86_64.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/blueman-applet-1000 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-bluetooth.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-session.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-application.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-release.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-datetime.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-power.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-keyboard.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.2.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.5.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/update-notifier-crash-_var_crash__usr_bin_blueman-applet.0.crash.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/ssh-agent.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/dbus.log.3.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gpg-agent.log.7.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-sound.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/indicator-keyboard.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.6.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/startxfce4.log.4.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/gnome-keyring-ssh.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/upstart/upstart-event-bridge.log.1.gz (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/xfce4-indicator-plugin.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/xfce4-notifyd-theme.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/directoryLinks.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/OfflineCache/index.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/thumbnails/f1777111f5d0f1c81ffa04de751128fa.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/startupCache.8.little (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/urlCache.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/scriptCache.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/webext.sc.lz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/startupCache/scriptCache-child.bin (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashallow-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-unwanted-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/base-track-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-phish-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashsubdoc-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flash-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-harmful-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/allow-flashallow-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-malware-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-phish-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-track-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-block-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flash-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozplugin-block-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/base-track-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashsubdoc-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flashsubdoc-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-trackwhite-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flash-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-trackwhite-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-unwanted-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/allow-flashallow-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozstd-trackwhite-digest256.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-block-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-malware-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flash-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/block-flashsubdoc-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-track-simple.pset (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/test-harmful-simple.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozplugin-block-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/mozstd-trackwhite-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/safebrowsing/except-flashallow-digest256.sbstore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/ce_T151c2VyQ29udGV4dElkPTEs (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5A54E53FB3BC53E73B1E6C575995E2485DDF05AE (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/3288ECCBE79F56B14DBE6FEAC3F20AEA108CD0F1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/7B303216787123E2E98A2B9594CDF8211C77C0EA (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/BD75785200C0E1E894D78880C72AC03D1B02A575 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/0AB1BE712BE7745C73A5EFA8DFC4780205FD18D7 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/EFBDF11BE5924869AB758722597BCD4B9EAF851C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/209BF9506FC39F83D5367695CBEA892DE228933A (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E59C4C731883450D84A0BAE7FDD94546BBC8DE04 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/A8DCC7B604F78716CE26EF1511D819991F119B22 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/C03274A1DDB8C8456BCF45E0E89194DCDADF46C0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/8D418B8419BE8FFD07185661A573F8B8521147C5 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/698AC159A6BCBA0D13FE6F10F1A38E498F826F33 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/39C1621C6763027D614390D31A517751A4AD91C3 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/A5A82E00158C0784FE9E6B08670D514F8348D245 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/F2CFCA6D14DE5FA96E3127D89121F2E6F004D2CD (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/D8CC044500B261C6794589BED782B70836EAD65C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E325B486B777C14C29762600D998974140F8FD34 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/196BCA845E91608F7B4CA6127A60D20AF55413AC (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/63F48F4F7F1BC3195F5AB831F9794F3DBA2D30E1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/6B459D246F7887BA8513F5801DE752A08094DD8A (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/05582FF5C196A4485F189490FEC9ECEA0890DA32 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E771454BB360CA5F7AA169E5416B493549BC2F59 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/B7DB036074231ACC212F58CA5B8AF0545A418060 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/44852F548E2DA4AF2A968DAF307485F74EF6F3C0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2BC6D22E320C3AD5F122613FBBF24D8F8DDFE8D2 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/44F81E7E214B17FF25AC54556BC33AC0C1A62B26 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/A698B6CF98F43F9B0EE1C1DAF3F2CB9BFF09A47C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/F8AC72083E334F70A553AE68455FBDF0E65C5221 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/F17F04878A68505AE5481A71D8B733C5FFC6F285 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5A9F94FBA58DB2BB86940F164F51C5190533CAC7 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E6D66AFFD836C8C13B306AAB42C9C6E3425363B6 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/AAD09DC668B8529769AEBA7A4A9EC20D79EC925A (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E7EAFD1748127CEAA48DCDD05E7998E3CAA95B8C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2B610FAD6EE6174C3C15BA488F7D896FD22FF794 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/65856B83CBC9E01A5FFF9981914F04B0F6436116 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/DC07751AD90150C6B658CD05E99F18A6A725B500 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5E4954707B44E5A4B4ACF5F22B52219A1DCA477F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/3DF10699984A3086A21900FAEC5595CBE3948F33 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/1AA5DF3AA9BAF5D88A5D31A2D2753A33FA1BE5DB (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/567881F4A84A4E54FD9DE83AA17D8ADA4C81402C (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/13B6B1BA274AC60E2BBF033AA422B2D3D3B07FD1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/18CE467B00ED7B507CC72681EDCED9F73527CDD9 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/9548F9611999ED8CA357720E12017816424CFB6F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/076B04687E353A48BF9F8F54C7556DD5EE9381D0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/E4ED869149E42472064566CF555F4CBDFA43F6CE (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2F8D3E7DF38A8EFF19A37E06DB9A7C5A88B70C11 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/1679441B8AA7B4D31717C773CC4E86A25B37532B (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/DE556ABC4C4DACD7976DC8E9EB9F5C9DC0E7B076 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/3BE2F225068DFB4AA8BD93F696A41C16C8CFA27F (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/480A7F2B2D435C5021E4D92358EBDE99275450C8 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/2EEBE7D9E8B2C0EC2F1A732F578AEFE4851A2A53 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/499B8F86D3D7ACD12153BFF4E7D9C21E20E57862 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/D6D7AC0B3D4DAC40D7A42CBE0FCCD3EF6B2BB312 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/5DDA527DCC532D0D7032913A302155F3451E45B3 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/entries/7051A1E5425B79519AE6F65AD3BB2390F7D1C39B (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/mozilla/firefox/u5o5kk16.default/cache2/ce_T151c2VyQ29udGV4dElkPTEsYSw= (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.cache/logrotate/status (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.xsession-errors (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.dmrc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.bashrc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.dbus/session-bus/f0b45546524a75b2e6e8e8a55aab94da-0 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/203a169dec3216fbb03bc6760e7d0f9a.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/d7de604c8b54b08bf50a3c2c28efd2df.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/2454247923350b5d65d258305ccf59ce.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/6635e1111ee0cd4813b439af8913fa49.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.thumbnails/normal/12095cb0c16f1a0895ab343c7eb4b7c6.png (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.bash_history (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.profile (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.Xauthority (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/profiles.ini (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/Crash Reports/InstallTime20180313132747 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/pkcs11.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/favicons.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/SecurityPreloadState.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/AlternateServices.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/cert9.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/search.json.mozlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/saved-telemetry-pings/583ee681-7cfa-4d12-8648-eb797a8eec37 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/saved-telemetry-pings/9c07e1b5-a82a-432e-9a4c-18a3a975ad85 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/saved-telemetry-pings/e0d24830-8ed6-4f1a-b4e9-bfe84de4fc39 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/compatibility.ini (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/addonStartup.json.lz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/content-prefs.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/sessionstore.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/key3.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/addons.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/containers.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/state.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/session-state.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/archived/2018-04/1524571606164.583ee681-7cfa-4d12-8648-eb797a8eec37.first-shutdown.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/archived/2018-04/1524571606142.e0d24830-8ed6-4f1a-b4e9-bfe84de4fc39.new-profile.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/datareporting/archived/2018-04/1524571606162.9c07e1b5-a82a-432e-9a4c-18a3a975ad85.main.jsonlz4 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/SiteSecurityServiceState.txt (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/xulstore.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/times.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/key4.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/blocklist.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/cookies.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/cert8.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/prefs.js (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/webappsstore.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/sessionCheckpoints.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/permissions.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/places.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/shield-preference-experiments.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/.parentlock (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/extensions.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/.metadata-v2 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/idb/3561288849sdhlie.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/idb/2918063365piupsah.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/permanent/chrome/.metadata (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/.metadata-v2 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/idb/3312185054sbndi_pspte.sqlite (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/idb/3312185054sbndi_pspte.files/1 (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/storage/default/about+newtab/.metadata (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/handlers.json (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.mozilla/firefox/u5o5kk16.default/secmod.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.xsession-errors.old (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/recently-used.xbel (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/evolution/calendar/system/calendar.ics (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/evolution/addressbook/system/contacts.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/evolution/tasks/system/tasks.ics (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/applications/mimeapps.list (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/root-d269eba3.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/home-02b035a1.log (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/home (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/gvfs-metadata/root (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/keyrings/user.keystore (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/keyrings/login.keyring (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.local/share/session_migration-xubuntu (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.sudo_as_admin_successful (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/Thunar/uca.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/mimeapps.list (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/evolution/sources/system-proxy.source (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/cookie (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-card-database.tdb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-stream-volumes.tdb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-device-volumes.tdb (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-default-source (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/pulse/f0b45546524a75b2e6e8e8a55aab94da-default-sink (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/user-dirs.locale (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/dconf/user (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/gedit/accels (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libaccounts-glib/accounts.db (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/user-dirs.dirs (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/panel/whiskermenu-1.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/desktop/icons.screen0-1008x727.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/desktop/icons.screen0-1008x752.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/desktop/icons.screen0-784x559.rc (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfwm4.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-panel.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/keyboards.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/displays.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-desktop.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-keyboard-shortcuts.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/backenddb.xml (bits: - usr: - grp: - all: rwx)Jump to behavior
      Source: ./wQN5w2558L (PID: 2888)File: ./.config/libreoffice/4/user/uno_packa