Changes its process name

Executes dropped EXE

Modifies hosts file

Adds to hosts file used for mapping hosts to IP addresses.

Attempts to change immutable files

Modifies inode attributes on the filesystem to allow changing of immutable files.

Creates a large amount of network flows

This may indicate a network scan to discover remotely running services.

Creates/modifies Cron job

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Enumerates running processes

Discovers information about currently running processes on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Modifies init.d

Adds/modifies system service, likely for persistence.

Modifies systemd

Adds/ modifies systemd service files. Likely to achieve persistence.

Reads CPU attributes

Write file to user bin folder