Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'WindowsSecurityHelper' = '<Full path to file>'
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\windowssecurityhelper.pyw
Malicious functions
Terminates or attempts to terminate
the following system processes:
- <SYSTEM32>\windowspowershell\v1.0\powershell.exe
Reads files which store third party applications passwords
- %LOCALAPPDATA%\microsoft\edge\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\microsoft\edge\user data\default\web data
- %APPDATA%\opera software\opera stable\login data
Modifies file system
Creates the following files
- %TEMP%\_mei32042\81d243bd2c585b0f4821__mypyc.cp314-win_amd64.pyd
- %TEMP%\_mei32042\pil\_avif.cp314-win_amd64.pyd
- %TEMP%\_mei32042\pil\_imaging.cp314-win_amd64.pyd
- %TEMP%\_mei32042\pil\_imagingcms.cp314-win_amd64.pyd
- %TEMP%\_mei32042\pil\_imagingmath.cp314-win_amd64.pyd
- %TEMP%\_mei32042\pil\_imagingtk.cp314-win_amd64.pyd
- %TEMP%\_mei32042\pil\_webp.cp314-win_amd64.pyd
- %TEMP%\_mei32042\vcruntime140.dll
- %TEMP%\_mei32042\vcruntime140_1.dll
- %TEMP%\_mei32042\_asyncio.pyd
- %TEMP%\_mei32042\_bz2.pyd
- %TEMP%\_mei32042\_ctypes.pyd
- %TEMP%\_mei32042\_decimal.pyd
- %TEMP%\_mei32042\_elementtree.pyd
- %TEMP%\_mei32042\_hashlib.pyd
- %TEMP%\_mei32042\_lzma.pyd
- %TEMP%\_mei32042\_multiprocessing.pyd
- %TEMP%\_mei32042\_overlapped.pyd
- %TEMP%\_mei32042\_queue.pyd
- %TEMP%\_mei32042\_socket.pyd
- %TEMP%\_mei32042\_sqlite3.pyd
- %TEMP%\_mei32042\_ssl.pyd
- %TEMP%\_mei32042\_uuid.pyd
- %TEMP%\_mei32042\_wmi.pyd
- %TEMP%\_mei32042\_zstd.pyd
- %TEMP%\_mei32042\api-ms-win-core-console-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-datetime-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-debug-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-errorhandling-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-fibers-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-fibers-l1-1-1.dll
- %TEMP%\_mei32042\api-ms-win-core-file-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-file-l1-2-0.dll
- %TEMP%\_mei32042\api-ms-win-core-file-l2-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-handle-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-heap-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-interlocked-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-kernel32-legacy-l1-1-1.dll
- %TEMP%\_mei32042\api-ms-win-core-libraryloader-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-localization-l1-2-0.dll
- %TEMP%\_mei32042\api-ms-win-core-memory-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-namedpipe-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-processenvironment-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-processthreads-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-processthreads-l1-1-1.dll
- %TEMP%\_mei32042\api-ms-win-core-profile-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-rtlsupport-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-string-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-synch-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-synch-l1-2-0.dll
- %TEMP%\_mei32042\api-ms-win-core-sysinfo-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-sysinfo-l1-2-0.dll
- %TEMP%\_mei32042\api-ms-win-core-timezone-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-core-util-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-conio-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-convert-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-environment-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-filesystem-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-heap-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-locale-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-math-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-process-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-runtime-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-stdio-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-string-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-time-l1-1-0.dll
- %TEMP%\_mei32042\api-ms-win-crt-utility-l1-1-0.dll
- %TEMP%\_mei32042\base_library.zip
- %TEMP%\_mei32042\certifi\cacert.pem
- %TEMP%\_mei32042\charset_normalizer\cd.cp314-win_amd64.pyd
- %TEMP%\_mei32042\charset_normalizer\md.cp314-win_amd64.pyd
- %TEMP%\_mei32042\libcrypto-3.dll
- %TEMP%\_mei32042\libffi-8.dll
- %TEMP%\_mei32042\libssl-3.dll
- %TEMP%\_mei32042\pyexpat.pyd
- %TEMP%\_mei32042\python314.dll
- %TEMP%\_mei32042\select.pyd
- %TEMP%\_mei32042\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\installer
- %TEMP%\_mei32042\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\metadata
- %TEMP%\_mei32042\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\record
- %TEMP%\_mei32042\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\wheel
- %TEMP%\_mei32042\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\licenses\license
- %TEMP%\_mei32042\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
- %TEMP%\_mei32042\setuptools\_vendor\jaraco\text\lorem ipsum.txt
- %TEMP%\_mei32042\sqlite3.dll
- %TEMP%\_mei32042\ucrtbase.dll
- %TEMP%\_mei32042\unicodedata.pyd
- <Current directory>\chrome_login_tmp.db
- <Current directory>\edge_login_tmp.db
- <Current directory>\chrome_login_extract.db
- <Current directory>\chrome_web_extract.db
- <Current directory>\edge_login_extract.db
- <Current directory>\edge_web_extract.db
- <Current directory>\opera_login_extract.db
- <Current directory>\opera_web_extract.db
- <Current directory>\screenshot_temp.png
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-6a3dcc47-17c8.pma
- %LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-6a3dcc4a-14a4.pma
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
- %LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
Deletes following files that it created itself
- <Current directory>\chrome_login_tmp.db
- <Current directory>\edge_login_tmp.db
- <Current directory>\chrome_login_extract.db
- <Current directory>\chrome_web_extract.db
- <Current directory>\edge_login_extract.db
- <Current directory>\edge_web_extract.db
- <Current directory>\opera_login_extract.db
- <Current directory>\opera_web_extract.db
- <Current directory>\screenshot_temp.png
Modifies the following files
Network activity
Connects to
- 'ap#.#pify.org':443
- 'ip##pi.com':80
- 'di##ord.com':443
TCP
HTTP GET requests
- http://ip##pi.com/json/185.93.40.66?fi##############################################################################################
Other
- 'ap#.#pify.org':443
- 'di##ord.com':443
UDP
- DNS ASK ap#.#pify.org
- DNS ASK ip##pi.com
- DNS ASK di##ord.com
Miscellaneous
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "ver"
- '<SYSTEM32>\wbem\wmic.exe' computersystem get model
- '<SYSTEM32>\netsh.exe' wlan show profiles
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -NonI -W H "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select -ExpandProperty displayName"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoP -NonI -W H "Get-MpComputerStatus | Select -ExpandProperty AMServiceEnabled"
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument https://www.youtube.com/watch?v=yfvNM_opeJc
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://www.youtube.com/watch?v=yfvNM_opeJc
- '<SYSTEM32>\cmd.exe' /c "ver"' (with hidden window)
- '%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://www.youtube.com/watch?v=yfvNM_opeJc' (with hidden window)
