hxxp://roblox[.]com

Analysis

max time kernel
1799s
max time network
1803s
platform
ubuntu-20.04_amd64
resource
ubuntu2004-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu2004-amd64-20240508-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system
submitted
26/03/2025, 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://roblox.com

Score

4^/10

antivm discovery

Malware Config

Signatures

Changes its process name 64 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	gmain	1542	firefox
Changes the process name, possibly in an attempt to hide itself	gdbus	1544	firefox
Changes the process name, possibly in an attempt to hide itself	glean.dispatche	1545	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1547	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1547	firefox
Changes the process name, possibly in an attempt to hide itself	IPC I/O Parent	1547	firefox
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1553	firefox
Changes the process name, possibly in an attempt to hide itself	HTML5 Parser	1553	firefox
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1552	firefox
Changes the process name, possibly in an attempt to hide itself	Backgro~Pool #1	1552	firefox
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1551	firefox
Changes the process name, possibly in an attempt to hide itself	IPDL Background	1551	firefox
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1550	firefox
Changes the process name, possibly in an attempt to hide itself	Socket Thread	1550	firefox
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1549	firefox
Changes the process name, possibly in an attempt to hide itself	Netlink Monitor	1549	firefox
Changes the process name, possibly in an attempt to hide itself	Timer	1548	firefox
Changes the process name, possibly in an attempt to hide itself	Timer	1548	firefox
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1555	firefox
Changes the process name, possibly in an attempt to hide itself	pool-firefox	1554	firefox
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1557	firefox
Changes the process name, possibly in an attempt to hide itself	JS Watchdog	1557	firefox
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1559	firefox
Changes the process name, possibly in an attempt to hide itself	BGReadURLs	1559	firefox
Changes the process name, possibly in an attempt to hide itself	glxtest:disk$0	1560	glxtest
Changes the process name, possibly in an attempt to hide itself	Cache2 I/O	1561	firefox
Changes the process name, possibly in an attempt to hide itself	Cookie	1562	firefox
Changes the process name, possibly in an attempt to hide itself	Cookie	1562	firefox
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1563	firefox
Changes the process name, possibly in an attempt to hide itself	StreamTrans #1	1563	firefox
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #1	1565	firefox
Changes the process name, possibly in an attempt to hide itself	TaskCon~ller #0	1564	firefox
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1566	firefox
Changes the process name, possibly in an attempt to hide itself	Worker Launcher	1566	firefox
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1567	firefox
Changes the process name, possibly in an attempt to hide itself	BgIOThr~Pool #1	1567	firefox
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1569	firefox
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1569	firefox
Changes the process name, possibly in an attempt to hide itself	Softwar~cThread	1569	firefox
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1574	firefox
Changes the process name, possibly in an attempt to hide itself	CanvasRenderer	1574	firefox
Changes the process name, possibly in an attempt to hide itself	Compositor	1573	firefox
Changes the process name, possibly in an attempt to hide itself	Compositor	1573	firefox
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1572	firefox
Changes the process name, possibly in an attempt to hide itself	WRWorkerLP#0	1572	firefox
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1571	firefox
Changes the process name, possibly in an attempt to hide itself	WRWorker#0	1571	firefox
Changes the process name, possibly in an attempt to hide itself	Renderer	1570	firefox
Changes the process name, possibly in an attempt to hide itself	Renderer	1570	firefox
Changes the process name, possibly in an attempt to hide itself	ImageIO	1575	firefox
Changes the process name, possibly in an attempt to hide itself	ImageIO	1575	firefox
Changes the process name, possibly in an attempt to hide itself	Permission	1576	firefox
Changes the process name, possibly in an attempt to hide itself	Permission	1576	firefox
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1579	firefox
Changes the process name, possibly in an attempt to hide itself	IPC Launch	1579	firefox
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1578	firefox
Changes the process name, possibly in an attempt to hide itself	SandboxReporter	1578	firefox
Changes the process name, possibly in an attempt to hide itself	Breakpad Server	1577	firefox
Changes the process name, possibly in an attempt to hide itself	Sandbox Forked	1580	firefox
Changes the process name, possibly in an attempt to hide itself	Chroot Helper	1583	firefox
Changes the process name, possibly in an attempt to hide itself	gmain	1584	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1585	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	pool-/usr/libex	1586	xdg-desktop-portal
Changes the process name, possibly in an attempt to hide itself	gdbus	1591	xdg-document-portal

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	firefox

Reads CPU attributes 1 TTPs 15 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/present	firefox
File opened for reading	/sys/devices/system/cpu/online	nautilus
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	firefox

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/class	glxtest
File opened for reading	/sys/class	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/class	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:02.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/resource	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/irq	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/class	gvfs-mtp-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/resource	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/virtio0/drm/renderD128	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:06.0/vendor	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-0:1.0/uevent	gvfs-mtp-volume-monitor
File opened for reading	/sys/kernel/security/apparmor/features/dbus/mask	dbus-daemon
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:05.0/device	glxtest
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/device	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/subsystem_device	firefox
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/device	glxtest
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/bus/usb/devices	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/devices/pci0000:00/0000:00:05.0/usb1/1-1/1-1:1.0/uevent	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/class	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.3/device	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:01.1/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:04.0/vendor	glxtest
File opened for reading	/sys/devices/system/cpu	glxtest
File opened for reading	/sys/bus	gvfs-gphoto2-volume-monitor
File opened for reading	/sys/bus/pci/devices/0000:00:01.0/vendor	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:00.0/irq	glxtest
File opened for reading	/sys/bus/pci/devices/0000:00:03.0/vendor	glxtest
File opened for reading	/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/system/cpu	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/uevent	firefox
File opened for reading	/sys/devices/pci0000:00/0000:00:02.0/vendor	firefox

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1531/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/filesystems	gvfs-udisks2-volume-monitor
File opened for reading	/proc/1/cgroup	gvfs-udisks2-volume-monitor
File opened for reading	/proc/self/task/1918/stat	firefox
File opened for reading	/proc/self/fd	file-roller
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/task/1667/stat	firefox
File opened for reading	/proc/self/fd/124	firefox
File opened for reading	/proc/1881/cmdline	dbus-daemon
File opened for reading	/proc/2085/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/fd/56	firefox
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/self/mountinfo	firefox
File opened for reading	/proc/filesystems	dbus-daemon
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/task/1767/stat	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/filesystems	gnome-keyring-daemon
File opened for reading	/proc/filesystems	gvfs-mtp-volume-monitor
File opened for reading	/proc/1420/attr/current	dbus-daemon
File opened for reading	/proc/filesystems	sed
File opened for reading	/proc/self/fd	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/fd	file-roller
File opened for reading	/proc/filesystems	nautilus
File opened for reading	/proc/self/fd	nautilus
File opened for reading	/proc/1631/cmdline	dbus-daemon
File opened for reading	/proc/cmdline	dconf-service
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/1636/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	file-roller
File opened for reading	/proc/filesystems	gvfsd-network
File opened for reading	/proc/self/fd/30	firefox
File opened for reading	/proc/1607/cmdline	dbus-daemon
File opened for reading	/proc/self/fd/121	firefox
File opened for reading	/proc/self/fd/139	firefox
File opened for reading	/proc/2014/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	gvfsd-smb-browse
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/fd/136	firefox
File opened for reading	/proc/self/fd/148	firefox
File opened for reading	/proc/1857/cmdline	dbus-daemon
File opened for reading	/proc/2114/cmdline	dbus-daemon
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/filesystems	xdg-document-portal
File opened for reading	/proc/filesystems	nautilus
File opened for reading	/proc/self/fd/87	firefox
File opened for reading	/proc/self/fd/133	firefox
File opened for reading	/proc/self/maps	firefox
File opened for reading	/proc/self/fd/83	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/stat	firefox
File opened for reading	/proc/self/fd/100	firefox
File opened for reading	/proc/self/fd/127	firefox
File opened for reading	/proc/filesystems	firefox
File opened for reading	/proc/1845/cgroup	gvfs-udisks2-volume-monitor

System Information Discovery 1 TTPs 1 IoCs

Adversaries may gather information about the system, such as OS, hostname, and hardware details.

discovery

System Information Discovery

T1082

pid	Process
1558	lsb_release

System Network Configuration Discovery 1 TTPs 16 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
2091	unzip
2131	unzip
2021	unzip
2021	unzip
2021	unzip
2131	unzip
2091	unzip
2131	unzip
2021	unzip
2034	unzip
2034	unzip
2131	unzip
2034	unzip
2034	unzip
2091	unzip
2091	unzip

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/firefox/.parentlock	firefox
File opened for modification	/tmp/tmpaddon	firefox
File opened for modification	/tmp/bQfhXoXf.exe	firefox

/usr/bin/xdg-open
xdg-open http://roblox.com
1⤵
PID:1414
- /usr/bin/dbus-send
  dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
  2⤵
  PID:1415
- - /usr/bin/dbus-launch
    dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
    3⤵
    PID:1416
  - - /usr/bin/dbus-daemon
      /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:1418
    - - /usr/libexec/xdg-desktop-portal
        
        /usr/libexec/xdg-desktop-portal
        5⤵
        Changes its process name
        
        PID:1582
    - - /usr/libexec/xdg-document-portal
        
        /usr/libexec/xdg-document-portal
        5⤵
        Changes its process name
        Reads runtime system information
        
        PID:1588
    - - /usr/libexec/xdg-permission-store
        
        /usr/libexec/xdg-permission-store
        5⤵
        
        PID:1593
    - - /usr/libexec/xdg-desktop-portal-gtk
        
        /usr/libexec/xdg-desktop-portal-gtk
        5⤵
        
        PID:1602
    - - /usr/libexec/gvfsd
        
        /usr/libexec/gvfsd
        5⤵
        
        PID:1607
      - /usr/libexec/gvfsd-trash
        
        /usr/libexec/gvfsd-trash --spawner :1.8 /org/gtk/gvfs/exec_spaw/0
        6⤵
        
        PID:1640
      - /usr/libexec/gvfsd-network
        
        /usr/libexec/gvfsd-network --spawner :1.8 /org/gtk/gvfs/exec_spaw/1
        6⤵
        Reads runtime system information
        
        PID:2107
      - /usr/libexec/gvfsd-smb-browse
        
        /usr/libexec/gvfsd-smb-browse --spawner :1.8 /org/gtk/gvfs/exec_spaw/2
        6⤵
        Reads runtime system information
        
        PID:2114
      - /usr/libexec/gvfsd-dnssd
        
        /usr/libexec/gvfsd-dnssd --spawner :1.8 /org/gtk/gvfs/exec_spaw/3
        6⤵
        
        PID:2121
    - - /usr/libexec/dconf-service
        
        /usr/libexec/dconf-service
        5⤵
        Reads runtime system information
        
        PID:1631
    - - /usr/bin/nautilus
        
        /usr/bin/nautilus --gapplication-service
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:1636
    - - /usr/bin/gnome-keyring-daemon
        
        /usr/bin/gnome-keyring-daemon --start --foreground "--components=secrets"
        5⤵
        Reads runtime system information
        
        PID:1837
    - - /usr/libexec/gvfs-udisks2-volume-monitor
        
        /usr/libexec/gvfs-udisks2-volume-monitor
        5⤵
        Reads runtime system information
        
        PID:1845
    - - /usr/libexec/gvfs-afc-volume-monitor
        
        /usr/libexec/gvfs-afc-volume-monitor
        5⤵
        
        PID:1851
    - - /usr/libexec/gvfs-mtp-volume-monitor
        
        /usr/libexec/gvfs-mtp-volume-monitor
        5⤵
        Enumerates kernel/hardware configuration
        Reads runtime system information
        
        PID:1857
    - - /usr/libexec/gvfs-gphoto2-volume-monitor
        
        /usr/libexec/gvfs-gphoto2-volume-monitor
        5⤵
        Enumerates kernel/hardware configuration
        
        PID:1862
    - - /usr/libexec/gvfs-goa-volume-monitor
        
        /usr/libexec/gvfs-goa-volume-monitor
        5⤵
        
        PID:1869
    - - /usr/libexec/goa-daemon
        
        /usr/libexec/goa-daemon
        5⤵
        
        PID:1873
    - - /usr/libexec/goa-identity-service
        
        /usr/libexec/goa-identity-service
        5⤵
        
        PID:1881
    - - /usr/bin/nautilus
        
        /usr/bin/nautilus --gapplication-service
        5⤵
        Reads CPU attributes
        Reads runtime system information
        
        PID:2075
- /usr/bin/grep
  grep " = \\\"xfce4\\\"\$"
  2⤵
  PID:1422
- /usr/bin/xprop
  xprop -root _DT_SAVE_MODE
  2⤵
  PID:1421
- /usr/bin/grep
  grep -i "^xfce_desktop_window"
  2⤵
  PID:1424
- /usr/bin/xprop
  xprop -root
  2⤵
  PID:1423
- /usr/bin/grep
  grep -q "^Enlightenment"
  2⤵
  PID:1426
- /usr/bin/uname
  uname
  2⤵
  PID:1427
- /usr/bin/grep
  grep -q "^file://"
  2⤵
  PID:1429
- /usr/bin/egrep
  egrep -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1431
- /usr/local/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1431
- /usr/local/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1431
- /usr/sbin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1431
- /usr/bin/grep
  grep -E -q "^[[:alpha:]+\\.\\-]+:"
  2⤵
  PID:1431
- /usr/bin/sed
  sed -n "s/\$^[[:alnum:]+\\.-]*\$:.*\$/\\1/p"
  2⤵
  PID:1434
- /usr/bin/xdg-mime
  xdg-mime query default x-scheme-handler/http
  2⤵
  PID:1435
- - /usr/bin/dbus-send
    dbus-send --print-reply "--dest=org.freedesktop.DBus" /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager
    3⤵
    PID:1436
  - - /usr/bin/dbus-launch
      dbus-launch --autolaunch 4816dd152e8c48ff97e9117d197c13d8 --binary-syntax --close-stderr
      4⤵
      PID:1437
- - /usr/bin/grep
    grep " = \\\"xfce4\\\"\$"
    3⤵
    PID:1439
- - /usr/bin/xprop
    xprop -root _DT_SAVE_MODE
    3⤵
    PID:1438
- - /usr/bin/grep
    grep -i "^xfce_desktop_window"
    3⤵
    PID:1441
- - /usr/bin/xprop
    xprop -root
    3⤵
    PID:1440
- - /usr/bin/grep
    grep -q "^Enlightenment"
    3⤵
    PID:1443
- - /usr/bin/uname
    uname
    3⤵
    PID:1444
- - /usr/bin/sed
    sed "s/:/ /g"
    3⤵
    PID:1447
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1449
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1452
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1451
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1450
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1457
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1456
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1455
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache
    3⤵
    PID:1454
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1462
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1461
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1460
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1459
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1467
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1466
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1465
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache
    3⤵
    PID:1464
- - /usr/bin/cut
    cut -d ";" -f 1
    3⤵
    PID:1472
- - /usr/bin/cut
    cut -d "=" -f 2
    3⤵
    PID:1471
- - /usr/bin/head
    head -n 1
    3⤵
    PID:1470
- - /usr/bin/grep
    grep "x-scheme-handler/http=" /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache
    3⤵
    PID:1469
- /usr/bin/sed
  sed "s/:/ /g"
  2⤵
  - Reads runtime system information
  PID:1475
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  PID:1478
- /usr/bin/sed
  sed -e "s|-|/|"
  2⤵
  PID:1481
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1493
- /usr/bin/which
  which firefox
  2⤵
  PID:1496
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1505
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1511
- /usr/bin/cut
  cut "-d=" -f 2-
  2⤵
  PID:1527
- /usr/bin/firefox
  /usr/bin/firefox http://roblox.com
  2⤵
  PID:1531
- - /usr/bin/which
    which /usr/bin/firefox
    3⤵
    PID:1539
- /usr/lib/firefox/firefox
  /usr/lib/firefox/firefox http://roblox.com
  2⤵
  - Changes its process name
  - Checks CPU configuration
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  - Writes file to tmp directory
  PID:1531
- - /usr/local/sbin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1543
- - /usr/local/bin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1543
- - /usr/sbin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1543
- - /usr/bin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1543
- - /usr/lib/firefox/glxtest
    /usr/lib/firefox/glxtest -f 13
    3⤵
    - Changes its process name
    - Enumerates kernel/hardware configuration
    PID:1546
- - /usr/bin/lsb_release
    /usr/bin/lsb_release -idrc
    3⤵
    - System Information Discovery
    PID:1558
- - /usr/local/sbin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1568
- - /usr/local/bin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1568
- - /usr/sbin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1568
- - /usr/bin/dbus-launch
    dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
    3⤵
    PID:1568
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 21691 -prefMapSize 235269 -appDir /usr/lib/firefox/browser "{c63fc7ba-89f0-4b07-ba0f-9e18e0a57ac0}" 1531 true socket
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1580
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 20430 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{4ee0a0f9-5487-4392-ad10-855b1aa0ea75}" 1531 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1657
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 26558 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{a5bbe3a3-a1eb-4e85-a93c-9f1ebd895500}" 1531 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1693
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 25304 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{dbc65980-0bde-4f5d-96d5-1966fb4ba190}" 1531 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1713
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -sandboxingKind 0 -prefsLen 30656 -prefMapSize 235269 -appDir /usr/lib/firefox/browser "{7a59b0bf-288a-4d4c-8007-e4799e56f2ed}" 1531 true utility
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1756
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 25441 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{d36f7099-9800-415b-bf8c-280f7e9dc233}" 1531 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1761
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 25441 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{c321c904-84e0-40a1-bcda-1cfd39e0a2e0}" 1531 true tab
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1764
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 25441 -prefMapSize 235269 -jsInitLen 229864 -parentBuildID 20240108143603 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser "{048b531a-4b99-4d2a-acf0-fd312c594f7a}" 1531 true tab
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1783
- - /usr/lib/firefox/firefox
    /usr/lib/firefox/firefox -contentproc -parentBuildID 20240108143603 -prefsLen 31984 -prefMapSize 235269 -appDir /usr/lib/firefox/browser "{9210c875-490d-49db-81a8-f656e89b7bf0}" 1531 true rdd
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:1915
- - /usr/bin/speech-dispatcher
    /usr/bin/speech-dispatcher --spawn --communication-method unix_socket --socket-path /root/.cache/speech-dispatcher/speechd.sock
    3⤵
    PID:1945
  - - /bin/sh
      sh -c "type espeak > /dev/null 2>&1"
      4⤵
      PID:1948
  - - /bin/sh
      sh -c "type mbrola > /dev/null 2>&1"
      4⤵
      PID:1949
  - - /bin/sh
      sh -c "type espeak > /dev/null 2>&1"
      4⤵
      PID:1951
  - - /bin/sh
      sh -c "type espeak-ng > /dev/null 2>&1"
      4⤵
      PID:1952
  - - /bin/sh
      sh -c "type mbrola > /dev/null 2>&1"
      4⤵
      PID:1953
  - - /bin/sh
      sh -c "type curl > /dev/null 2>&1"
      4⤵
      PID:1954
  - - /bin/sh
      sh -c "type epos-say > /dev/null 2>&1"
      4⤵
      PID:1955
  - - /bin/sh
      sh -c "type say > /dev/null 2>&1"
      4⤵
      PID:1957
  - - /bin/sh
      sh -c "type pico2wave > /dev/null 2>&1"
      4⤵
      PID:1958
  - - /bin/sh
      sh -c "type llia_phon > /dev/null 2>&1"
      4⤵
      PID:1959
  - - /bin/sh
      sh -c "type mbrola > /dev/null 2>&1"
      4⤵
      PID:1960
  - - /bin/sh
      sh -c "type /opt/swift/bin/swift > /dev/null 2>&1"
      4⤵
      PID:1961
  - - /usr/lib/speech-dispatcher-modules/sd_espeak-ng
      /usr/lib/speech-dispatcher-modules/sd_espeak-ng /etc/speech-dispatcher/modules/espeak-ng.conf
      4⤵
      PID:1963
  - - /usr/lib/speech-dispatcher-modules/sd_generic
      /usr/lib/speech-dispatcher-modules/sd_generic /etc/speech-dispatcher/modules/mary-generic.conf
      4⤵
      PID:1968
  - - /usr/lib/speech-dispatcher-modules/sd_dummy
      /usr/lib/speech-dispatcher-modules/sd_dummy /etc/speech-dispatcher/modules/dummy.conf
      4⤵
      PID:1970

/usr/libexec/gvfsd-fuse
/usr/libexec/gvfsd-fuse /root/.cache/gvfs -f -o big_writes
1⤵
PID:1612

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2014

/usr/local/sbin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2014

/usr/local/bin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2014

/usr/sbin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2014

/usr/bin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
- Reads runtime system information
PID:2014
- /usr/local/sbin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2018
- /usr/local/bin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2018
- /usr/sbin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2018
- /usr/bin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2018
- /usr/local/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2021
- /usr/local/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2021
- /usr/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2021
- /usr/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2021

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2027

/usr/local/sbin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2027

/usr/local/bin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2027

/usr/sbin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2027

/usr/bin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
- Reads runtime system information
PID:2027
- /usr/local/sbin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2031
- /usr/local/bin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2031
- /usr/sbin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2031
- /usr/bin/dbus-launch
  dbus-launch "--autolaunch=4816dd152e8c48ff97e9117d197c13d8" --binary-syntax --close-stderr
  2⤵
  PID:2031
- /usr/local/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2034
- /usr/local/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2034
- /usr/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2034
- /usr/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2034

/bin/sh
/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=\$\$; exec \"\$@\"" sh file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2085

/usr/local/sbin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2085

/usr/local/bin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2085

/usr/sbin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2085

/usr/bin/file-roller
file-roller /root/Downloads/RobloxPlayerInstaller.exe
1⤵
PID:2085
- /usr/local/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2091
- /usr/local/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2091
- /usr/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2091
- /usr/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2091
- /usr/local/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2131
- /usr/local/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2131
- /usr/sbin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2131
- /usr/bin/unzip
  unzip -ZTs -- /root/Downloads/RobloxPlayerInstaller.exe
  2⤵
  - System Network Configuration Discovery
  PID:2131

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.cache/dconf/user

Filesize
2B

MD5
c4103f122d27677c9db144cae1394a66

SHA1
1489f923c4dca729178b3e3233458550d8dddf29

SHA256
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

SHA512
5ea71dc6d0b4f57bf39aadd07c208c35f06cd2bac5fde210397f70de11d439c62ec1cdf3183758865fd387fcea0bada2f6c37a4a17851dd1d78fefe6f204ee54

Download Submit
/root/.cache/mesa_shader_cache/00/a0e47c693859ad9b9ec75253bc8ce6ca5a0ec6.tmp

Filesize
646B

MD5
e57b8cf0d399bf0879aae0ba56c70d88

SHA1
67b73ec877d90597ead4abffa83216bb28616574

SHA256
d6680f9810ec28d79e41c49c45cf03084a3f24ac8e67e4a701b40b2e26b8c3ba

SHA512
b8291d7de1f6a09a4f40941f173d364424a21c6f2dfb428ad6bdce0c58843252fd01118a945b1d093701af07c8f4b49ce69f5fd679fb365f70204f03e403d2ee

Download Submit
/root/.cache/mesa_shader_cache/3f/e6994d192afa19def0b4da06446c94ec19831b.tmp

Filesize
1KB

MD5
2b3a78be93a3f1770e16b2d8b1588e22

SHA1
381ad9a4ddf370402708b76a02f29a9715878913

SHA256
ef4fc1017816b6a4e4b2f7be83d139f9aa92879b321d9af7abbe7902303001a5

SHA512
2d606c03b8e17ad010ad38a5cd5a550f2f380a5f3948028ea1be777b0aecf87cf361cb68ca36c4eb48bee0b2ff56589974694eaf268ceeb4afd0abec5a9060fd

Download Submit
/root/.cache/speech-dispatcher/log/dummy.log

Filesize
129B

MD5
b2b3a649e7e18f578a7d885627764958

SHA1
9581944e1dd494b74896964a2b2db251428849be

SHA256
4d0663e7c2b22f2942d0e8eb992e7cce6350a01bde90d941a4fb1fab1e65065a

SHA512
db150cd21eeea03ae2a4e0a1325f3f5d60343d08de349cb27e1da0a51402301b6271ede58f69377dc0d337e9db1071d5921a4d26f81427b74d361959d2c823e7

Download Submit
/root/.cache/speech-dispatcher/log/espeak-ng.log

Filesize
52B

MD5
ef84f4e65f11da983c74a7bb8edb00e4

SHA1
6a6b59b99ceba44216cfa42e5be6a1d641615ded

SHA256
f56bc2309418b8e3f485b18fa4cc2a641912f03a08e3555387faa6fb925ca547

SHA512
85019f18beeea67e60030755b3181fc3305eaade197200bd37a956dab9c4aea9ca0006f350c9def753c2036ddf851822733e9a050829b563624e9fec52fe784d

Download Submit
/root/.cache/speech-dispatcher/log/mary-generic.log

Filesize
151B

MD5
7b92a4d1d104620c17b8b007b82f4ea6

SHA1
fd86d4191806d10aa33baa3f47d2251dbacf461e

SHA256
7a0cea6035a30a623000fec0b0b03f597049663dcf103bb47af898a2e5db4966

SHA512
64620869fc6c85c667f7543c5fecc6771756bf2d429295a2c6f3397deab885e373ed2542625de8e67ce696bc506c300c43a14ccb482f628b17e869cb07f0e2d2

Download Submit
/root/.cache/speech-dispatcher/log/speech-dispatcher.log

Filesize
3KB

MD5
29336d55293ebf48ba2df94ea6528114

SHA1
3bdcb042ad8f6b8f434585eb437ed5882bf6a8bd

SHA256
07d2373a137010edd6364e8d8e4105b0511525a40a10956a776520731819bacb

SHA512
3d27b135e895df5f892028f83b3dec5596c3ce52154d79bc049ebb854091dba97b3806a62611bb34ad3f4bd87ecdc08a6ef8ae3498cd9376ba1f2f62e50a0930

Download Submit
/root/.cache/speech-dispatcher/pid/speech-dispatcher.pid

Filesize
5B

MD5
382407821535c4b660fdef3514553ee1

SHA1
7d95a2439675ceb6982e90efe63b957495fd5075

SHA256
0d89fb567b1a1393f00683eb079cb7d2d22e68ac717b895c2a5ea71a36af2148

SHA512
1445ea1c24d8de5636938a470e90014f3c43842cfccfaa8190b6f7a9ce461ebe2f0cef29826f5edbd0464e332818fe3b1d4aeaf96ae6f7407f72e62b3afa55e9

Download Submit
/root/Downloads/RobloxPlayerInstaller.-doyBC4F.exe.part

Filesize
7.8MB

MD5
61dfe711ad40b56264dde7cde851f331

SHA1
2d83594bb4aecb29f8265906a570d7345e545fb0

SHA256
f90e36ec6ad0ca6f7498a4265eb313f13ba4bbc18d0a3f05523e2003ad787c46

SHA512
01eab48429cbcb114272d97435628168de7c09447103880e3c0ce854327d4659d75af1ccf1431adfa09a1dcd4762e6cbfcf4aa919aa6e16355282d989da720e3

Download Submit
/root/Downloads/bQfhXoXf.exe.part

Filesize
18KB

MD5
69a6aa1ea53fd74e58f887326801aee6

SHA1
aae577efeceff155215ae5c03759de498fe106f7

SHA256
f3c68816e3facd3ad69f7b55d5935172377abf233fb9f8c2d5f12745a500f839

SHA512
7a52fde217d7f2aaef6b347d0ef2906f4e8c809e42814c352b24913b8699c17d81766b297a3398103ab90877721d8c9d433e91914b877075589774a2416a64c1

Download Submit
/run/samba/gencache.tdb

Filesize
431KB

MD5
c8cb728a41bc10fe4efbab4ad9083352

SHA1
748bebf96668e9c2013fbadac57606b023b1657d

SHA256
d4e04cfd86d95339254ffe1e552180f7b6096d32dcc83a5db377756ea14316b2

SHA512
653c26acaf0e2d06845b53c3aeaa0bdfdb7ac0028c93ca4fa767653a7a22149d28bb962a343f8f72512e5f10d22876d3c0e91e33d628386c3c73ebc87eeb710a

Download Submit
/tmp/tmpaddon

Filesize
499KB

MD5
152eda253e242e18443ef3282495bc7c

SHA1
ff0fa85565f21ec4931baad4573b4c0bd08c4019

SHA256
8e03090fee16f6e0ee2e436af8e51d0c3deed6d9f0db80dec048e668fc009a48

SHA512
94531e267314de661b2205c606283fb066d781e5c11027578f2a3c3aa353437c2289544074a28101b6b6f0179f0fe6bd890a0ae2bb6e1cf9053650472576366c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads