Am I Hacked? Weird behaviour in workstation

I am using Whonix virtualbox port

When I boot workstation up, something caught my eye everytime
An odd file/folder is created on the desktop for less than a second and quickly removed, more quickly than I can read it’s name

I am wondering why is this happening? Anything I can do to investigate further?

Valid Compromise Indicators versus Invalid Compromise Indicators

(Whonix is based on Kicksecure.)

To be clear I only opened an .png image in tor browser however that image could have infected me somehow

I know it’s not a really good attacker if they leave obvious trace like that in the Desktop folder out of all places but I still want to know what is causing that, is there anyway I can monitor for file/folder creation only on desktop on startup?

It’s easier to deploy off-the-shelf malware and have no visual evidence of that (folder created, removed alike stuff) than to deploy and have such weird side effects. With modern explorations toolkit such as metasploit which are available to script kiddies, I really don’t see why any attack would mess up like that.

Yes but it’s not a simple and single thing. You would need extensive Linux sysadmin skills (inotifywait, Xfce autostart knowledge, systemd, …). A time intensive complex investigation to figure that out. This is unspecific to Whonix and out of scope for support.

For what you’re asking for, see Malware Audits.