Edit tour

Linux Analysis Report
morte.arm7.elf

Overview

General Information

Sample name:morte.arm7.elf
Analysis ID:1648697
MD5:994408ba1a2fa4a8a81771f3d701b467
SHA1:9ebb0e77e1a773a9ccb914a527133148bd45ba1f
SHA256:cb5ee82128b699063579f43eb181d7eaf6233b59be8959b935d10960cb3e8fc8
Tags:elfuser-abuse_ch
Infos:

Detection

Score:56
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Sample is packed with UPX
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
ELF contains segments with high entropy indicating compressed/encrypted content
Enumerates processes within the "proc" file system
Sample contains only a LOAD segment without any section mappings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1648697
Start date and time:2025-03-26 04:43:18 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:morte.arm7.elf
Detection:MAL
Classification:mal56.spre.evad.linELF@0/0@0/0
Command:/tmp/morte.arm7.elf
PID:5435
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • wrapper-2.0 (PID: 5453, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
  • wrapper-2.0 (PID: 5454, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
  • wrapper-2.0 (PID: 5455, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
  • wrapper-2.0 (PID: 5456, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
    • xfpm-power-backlight-helper (PID: 5477, Parent: 5456, MD5: 3d221ad23f28ca3259f599b1664e2427) Arguments: /usr/sbin/xfpm-power-backlight-helper --get-max-brightness
  • wrapper-2.0 (PID: 5457, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
  • wrapper-2.0 (PID: 5458, Parent: 3147, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
  • xfconfd (PID: 5476, Parent: 5475, MD5: 4c7a0d6d258bb970905b19b84abcd8e9) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  • systemd New Fork (PID: 5507, Parent: 2935)
  • xfce4-notifyd (PID: 5507, Parent: 2935, MD5: eee956f1b227c1d5031f9c61223255d1) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
  • cleanup
No yara matches
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: morte.arm7.elfReversingLabs: Detection: 41%
Source: global trafficTCP traffic: 192.168.2.13:44572 -> 176.65.142.252:7575
Source: /tmp/morte.arm7.elf (PID: 5437)Socket: 127.0.0.1:65279Jump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: unknownTCP traffic detected without corresponding DNS query: 176.65.142.252
Source: morte.arm7.elfString found in binary or memory: http://upx.sf.net

System Summary

barindex
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3104, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3161, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3162, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3163, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3164, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3165, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3170, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3182, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3208, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3212, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5453, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5454, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5455, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5456, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5457, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5458, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5476, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5507, result: successfulJump to behavior
Source: LOAD without section mappingsProgram segment: 0x8000
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3104, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3161, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3162, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3163, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3164, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3165, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3170, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3182, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3208, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 3212, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5453, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5454, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5455, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5456, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5457, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5458, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5476, result: successfulJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)SIGKILL sent: pid: 5507, result: successfulJump to behavior
Source: classification engineClassification label: mal56.spre.evad.linELF@0/0@0/0

Data Obfuscation

barindex
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Info: This file is packed with the UPX executable packer http://upx.sf.net $
Source: initial sampleString containing UPX found: $Id: UPX 3.94 Copyright (C) 1996-2017 the UPX Team. All Rights Reserved. $
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5453)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5454)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5455)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5456)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/local/share/fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /home/saturnino/.fonts/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/X11/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/type1/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /home/saturnino/.cacheJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /home/saturnino/.localJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Directory: /home/saturnino/.configJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5458)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5476)Directory: /home/saturnino/.cacheJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5476)Directory: /home/saturnino/.localJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5476)Directory: /home/saturnino/.configJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5476)Directory: /home/saturnino/.configJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5507)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5507)Directory: /home/saturnino/.cacheJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5507)Directory: /home/saturnino/.localJump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5507)Directory: /home/saturnino/.configJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5382/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3122/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3117/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3114/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/914/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/518/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/519/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3636/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5418/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/917/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5419/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5278/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3134/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3375/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3132/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3095/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1745/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1866/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1588/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/884/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1982/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/765/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3246/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/767/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/800/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1906/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/802/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/803/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1748/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3420/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1482/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/490/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1480/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1755/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1238/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1875/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/2964/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3413/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1751/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1872/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/2961/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1475/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/656/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/778/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/657/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/658/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/659/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/418/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3776/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/936/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/419/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/816/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1879/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5453/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5454/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5455/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1891/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3310/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3153/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/780/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/660/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1921/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/783/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1765/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/2974/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1400/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1884/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3424/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/2972/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3709/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3147/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/2970/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1881/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3146/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3300/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1805/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1925/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1804/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1648/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1922/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3429/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3442/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3165/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3164/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3163/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3162/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/790/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3161/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/792/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/793/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/672/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1930/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/674/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/795/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3315/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1411/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/2984/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/1410/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/797/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/676/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3434/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/3158/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/678/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/679/cmdlineJump to behavior
Source: /tmp/morte.arm7.elf (PID: 5439)File opened: /proc/5456/cmdlineJump to behavior
Source: morte.arm7.elfSubmission file: segment LOAD with 7.9471 entropy (max. 8.0)
Source: /tmp/morte.arm7.elf (PID: 5435)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5453)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5454)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5455)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5456)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5457)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5458)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5507)Queries kernel information via 'uname': Jump to behavior
Source: morte.arm7.elf, 5435.1.000055e99754a000.000055e997738000.rw-.sdmp, morte.arm7.elf, 5441.1.000055e99754a000.000055e997738000.rw-.sdmpBinary or memory string: U!/etc/qemu-binfmt/arm
Source: morte.arm7.elf, 5435.1.000055e99754a000.000055e997738000.rw-.sdmp, morte.arm7.elf, 5441.1.000055e99754a000.000055e997738000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/arm
Source: morte.arm7.elf, 5435.1.00007ffe0cda7000.00007ffe0cdc8000.rw-.sdmp, morte.arm7.elf, 5441.1.00007ffe0cda7000.00007ffe0cdc8000.rw-.sdmpBinary or memory string: /usr/bin/qemu-arm
Source: morte.arm7.elf, 5435.1.00007ffe0cda7000.00007ffe0cdc8000.rw-.sdmp, morte.arm7.elf, 5441.1.00007ffe0cda7000.00007ffe0cdc8000.rw-.sdmpBinary or memory string: x86_64/usr/bin/qemu-arm/tmp/morte.arm7.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/morte.arm7.elf
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Hidden Files and Directories
1
OS Credential Dumping
11
Security Software Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network Medium1
Service Stop
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
No configs have been found
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1648697 Sample: morte.arm7.elf Startdate: 26/03/2025 Architecture: LINUX Score: 56 25 176.65.142.252, 44572, 44574, 44576 WEBTRAFFICDE Germany 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Sample is packed with UPX 2->29 8 morte.arm7.elf 2->8         started        10 xfce4-panel wrapper-2.0 2->10         started        12 xfce4-panel wrapper-2.0 2->12         started        14 6 other processes 2->14 signatures3 process4 process5 16 morte.arm7.elf 8->16         started        18 wrapper-2.0 xfpm-power-backlight-helper 10->18         started        process6 20 morte.arm7.elf 16->20         started        23 morte.arm7.elf 16->23         started        signatures7 31 Sample tries to kill multiple processes (SIGKILL) 20->31

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
morte.arm7.elf42%ReversingLabsLinux.Backdoor.Mirai
No Antivirus matches
No Antivirus matches
No Antivirus matches

Download Network PCAP: filteredfull

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netmorte.arm7.elffalse
    high
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    176.65.142.252
    unknownGermany
    8649WEBTRAFFICDEfalse
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    176.65.142.252morte.ppc.elfGet hashmaliciousUnknownBrowse
      morte.x64.elfGet hashmaliciousUnknownBrowse
        morte.x64.elfGet hashmaliciousGafgyt, OkiruBrowse
          morte.mpsl.elfGet hashmaliciousGafgyt, OkiruBrowse
            morte.sh4.elfGet hashmaliciousGafgyt, OkiruBrowse
              morte.ppc.elfGet hashmaliciousOkiruBrowse
                morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                  morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                    morte.x64.elfGet hashmaliciousGafgyt, OkiruBrowse
                      morte.sh4.elfGet hashmaliciousGafgyt, OkiruBrowse
                        No context
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WEBTRAFFICDEmorte.ppc.elfGet hashmaliciousUnknownBrowse
                        • 176.65.142.252
                        morte.x64.elfGet hashmaliciousUnknownBrowse
                        • 176.65.142.252
                        morte.x64.elfGet hashmaliciousGafgyt, OkiruBrowse
                        • 176.65.142.252
                        morte.mpsl.elfGet hashmaliciousGafgyt, OkiruBrowse
                        • 176.65.142.252
                        morte.sh4.elfGet hashmaliciousGafgyt, OkiruBrowse
                        • 176.65.142.252
                        morte.ppc.elfGet hashmaliciousOkiruBrowse
                        • 176.65.142.252
                        morte.m68k.elfGet hashmaliciousGafgyt, OkiruBrowse
                        • 176.65.142.252
                        morte.arm.elfGet hashmaliciousGafgyt, OkiruBrowse
                        • 176.65.142.252
                        zrBlUcVcif.exeGet hashmaliciousStealcBrowse
                        • 176.65.142.161
                        lMbZjiaGWp.exeGet hashmaliciousStealcBrowse
                        • 176.65.142.161
                        No context
                        No context
                        No created / dropped files found
                        File type:ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header
                        Entropy (8bit):7.971725680975516
                        TrID:
                        • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                        File name:morte.arm7.elf
                        File size:43'820 bytes
                        MD5:994408ba1a2fa4a8a81771f3d701b467
                        SHA1:9ebb0e77e1a773a9ccb914a527133148bd45ba1f
                        SHA256:cb5ee82128b699063579f43eb181d7eaf6233b59be8959b935d10960cb3e8fc8
                        SHA512:f22dd9392e231cd861a3a01bcc39931245b864ee80d9322cb4c6a9d65ad662bf00328d4ab8506df440ab847c1c7278f8493be3c42342ef7868975d09c3e10ad4
                        SSDEEP:768:YFWoLJaLqMug//spQMcgeogMqe0+gk1OK9q3UELYi0I48hQfCkh08Jb9q:WRba/8QF+gQgLYRIOqkN99q
                        TLSH:AB13F1C686B78440DE789D74DB1A4E8F9E1652E8678A3A2F0309750C65C72A173FE24F
                        File Content Preview:.ELF..............(.........4...........4. ...(......................q...q..............$3..$3..$3..................Q.td...............................OUPX!........,...,.......i..........?.E.h;....#..$...o...k.......*).......X...$.'.?{.<..a..(.P.wI.U$.|.W

                        ELF header

                        Class:ELF32
                        Data:2's complement, little endian
                        Version:1 (current)
                        Machine:ARM
                        Version Number:0x1
                        Type:EXEC (Executable file)
                        OS/ABI:UNIX - Linux
                        ABI Version:0
                        Entry Point Address:0xdfa8
                        Flags:0x4000002
                        ELF Header Size:52
                        Program Header Offset:52
                        Program Header Size:32
                        Number of Program Headers:3
                        Section Header Offset:0
                        Section Header Size:40
                        Number of Section Headers:0
                        Header String Table Index:0
                        TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                        LOAD0x00x80000x80000x71950x71957.94710x5R E0x8000
                        LOAD0x33240x233240x233240x00x00.00000x6RW 0x8000
                        GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                        Download Network PCAP: filteredfull

                        TimestampSource PortDest PortSource IPDest IP
                        Mar 26, 2025 04:44:09.388370991 CET445727575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:09.590059042 CET757544572176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:10.592782974 CET445747575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:10.798367023 CET757544574176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:20.806284904 CET445767575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:21.012145042 CET757544576176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:24.019773960 CET445787575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:24.224746943 CET757544578176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:28.272495031 CET445807575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:28.476064920 CET757544580176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:30.646821022 CET445827575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:30.847969055 CET757544582176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:32.849632978 CET445847575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:33.051645041 CET757544584176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:38.053802013 CET445867575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:38.255449057 CET757544586176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:44.258380890 CET445887575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:44.464215994 CET757544588176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:52.466723919 CET445907575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:52.672396898 CET757544590176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:53.675594091 CET445927575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:44:53.878565073 CET757544592176.65.142.252192.168.2.13
                        Mar 26, 2025 04:44:59.881148100 CET445947575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:00.085277081 CET757544594176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:06.088160992 CET445967575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:06.291079998 CET757544596176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:10.294904947 CET445987575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:10.496927977 CET757544598176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:19.500272989 CET446007575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:19.705609083 CET757544600176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:20.708900928 CET446027575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:20.911535025 CET757544602176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:21.915139914 CET446047575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:22.116425037 CET757544604176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:27.119961023 CET446067575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:27.321080923 CET757544606176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:36.322835922 CET446087575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:36.528420925 CET757544608176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:38.530915022 CET446107575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:38.733067036 CET757544610176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:46.735383987 CET446127575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:46.936723948 CET757544612176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:49.939800978 CET446147575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:50.140978098 CET757544614176.65.142.252192.168.2.13
                        Mar 26, 2025 04:45:56.144740105 CET446167575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:45:56.346096992 CET757544616176.65.142.252192.168.2.13
                        Mar 26, 2025 04:46:02.357273102 CET446187575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:46:02.558229923 CET757544618176.65.142.252192.168.2.13
                        Mar 26, 2025 04:46:07.560962915 CET446207575192.168.2.13176.65.142.252
                        Mar 26, 2025 04:46:07.762806892 CET757544620176.65.142.252192.168.2.13

                        System Behavior

                        Start time (UTC):03:44:08
                        Start date (UTC):26/03/2025
                        Path:/tmp/morte.arm7.elf
                        Arguments:/tmp/morte.arm7.elf
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):03:44:08
                        Start date (UTC):26/03/2025
                        Path:/tmp/morte.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):03:44:08
                        Start date (UTC):26/03/2025
                        Path:/tmp/morte.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):03:44:08
                        Start date (UTC):26/03/2025
                        Path:/tmp/morte.arm7.elf
                        Arguments:-
                        File size:4956856 bytes
                        MD5 hash:5ebfcae4fe2471fcc5695c2394773ff1

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/xfce4-panel
                        Arguments:-
                        File size:375768 bytes
                        MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 12582920 systray "Notification Area" "Area where notification icons appear"
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/xfce4-panel
                        Arguments:-
                        File size:375768 bytes
                        MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 12582921 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/xfce4-panel
                        Arguments:-
                        File size:375768 bytes
                        MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 12582922 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/xfce4-panel
                        Arguments:-
                        File size:375768 bytes
                        MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 12582923 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:22
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:-
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:22
                        Start date (UTC):26/03/2025
                        Path:/usr/sbin/xfpm-power-backlight-helper
                        Arguments:/usr/sbin/xfpm-power-backlight-helper --get-max-brightness
                        File size:14656 bytes
                        MD5 hash:3d221ad23f28ca3259f599b1664e2427

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/xfce4-panel
                        Arguments:-
                        File size:375768 bytes
                        MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 12582924 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/xfce4-panel
                        Arguments:-
                        File size:375768 bytes
                        MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                        Start time (UTC):03:44:14
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 12582925 actions "Action Buttons" "Log out, lock or other system actions"
                        File size:35136 bytes
                        MD5 hash:ac0b8a906f359a8ae102244738682e76

                        Start time (UTC):03:44:21
                        Start date (UTC):26/03/2025
                        Path:/usr/bin/dbus-daemon
                        Arguments:-
                        File size:249032 bytes
                        MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                        Start time (UTC):03:44:21
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                        File size:112880 bytes
                        MD5 hash:4c7a0d6d258bb970905b19b84abcd8e9

                        Start time (UTC):03:44:26
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/systemd/systemd
                        Arguments:-
                        File size:1620224 bytes
                        MD5 hash:9b2bec7092a40488108543f9334aab75

                        Start time (UTC):03:44:26
                        Start date (UTC):26/03/2025
                        Path:/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
                        Arguments:/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
                        File size:112872 bytes
                        MD5 hash:eee956f1b227c1d5031f9c61223255d1