Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %APPDATA%\microsoft\windows\start menu\programs\startup\<File name>.exe
Modifies file system
Creates the following files
- %TEMP%\_mei11122\barlowcondensed-light.ttf
- %TEMP%\_mei11122\pil\_avif.cp313-win_amd64.pyd
- %TEMP%\_mei11122\pil\_imaging.cp313-win_amd64.pyd
- %TEMP%\_mei11122\pil\_imagingcms.cp313-win_amd64.pyd
- %TEMP%\_mei11122\pil\_imagingft.cp313-win_amd64.pyd
- %TEMP%\_mei11122\pil\_imagingmath.cp313-win_amd64.pyd
- %TEMP%\_mei11122\pil\_imagingtk.cp313-win_amd64.pyd
- %TEMP%\_mei11122\pil\_webp.cp313-win_amd64.pyd
- %TEMP%\_mei11122\vcruntime140.dll
- %TEMP%\_mei11122\vcruntime140_1.dll
- %TEMP%\_mei11122\_asyncio.pyd
- %TEMP%\_mei11122\_bz2.pyd
- %TEMP%\_mei11122\_ctypes.pyd
- %TEMP%\_mei11122\_decimal.pyd
- %TEMP%\_mei11122\_elementtree.pyd
- %TEMP%\_mei11122\_hashlib.pyd
- %TEMP%\_mei11122\_lzma.pyd
- %TEMP%\_mei11122\_multiprocessing.pyd
- %TEMP%\_mei11122\_overlapped.pyd
- %TEMP%\_mei11122\_queue.pyd
- %TEMP%\_mei11122\_socket.pyd
- %TEMP%\_mei11122\_ssl.pyd
- %TEMP%\_mei11122\_wmi.pyd
- %TEMP%\_mei11122\base_library.zip
- %TEMP%\_mei11122\libcrypto-3.dll
- %TEMP%\_mei11122\libffi-8.dll
- %TEMP%\_mei11122\libssl-3.dll
- %TEMP%\_mei11122\pyexpat.pyd
- %TEMP%\_mei11122\python313.dll
- %TEMP%\_mei11122\select.pyd
- %TEMP%\_mei11122\unicodedata.pyd
- %TEMP%\ycrk4zfx
- %TEMP%\tmpsjpm8e9_.ico
Deletes following files that it created itself
- %TEMP%\ycrk4zfx
- %TEMP%\tmpsjpm8e9_.ico
Miscellaneous
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "ver"
- '<SYSTEM32>\cmd.exe' /c "ver"' (with hidden window)
