Executes dropped EXE

Checks hardware identifiers (DMI)

Checks DMI information which indicate if the system is a virtual machine.

Enumerates running processes

Discovers information about currently running processes on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Uses a legitimate IP lookup service to find the infected system's external IP.

Reads hardware information

Accesses system info like serial numbers, manufacturer names etc.

Reads list of loaded kernel modules

Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

Write file to user bin folder