Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Infostealers often target stored browser data, which can include saved credentials etc.

Command and Scripting Interpreter: PowerShell

Using powershell.exe command.

Enumerates connected drives

Attempts to read the root path of hard drives other than the default C: drive.

Obfuscated Files or Information: Command Obfuscation

Adversaries may obfuscate content during command execution to impede detection.

Writes to the Master Boot Record (MBR)

Bootkits write to the MBR to gain persistence at a level below the operating system.

Drops file in System32 directory