Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.W32.Kryptik.LKE.gen.Eldorado.17641.17677.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\soft[1]

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\dll[1]

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\WwsefYvRAzYZN1v3frKwFA1wF8\Bunifu_UI_v1.5.3.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\WwsefYvRAzYZN1v3frKwFA1wF8\Y-Cleaner.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3b1ee01e6e6a552eb3f6b99786c786b0c8ec181_3aafbe1c_31263007-c9a4-4dd8-88fe-277adad8ad29\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3b1ee01e6e6a552eb3f6b99786c786b0c8ec181_3aafbe1c_33a9eb5f-865c-4920-a1d4-504381002f3d\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3b1ee01e6e6a552eb3f6b99786c786b0c8ec181_3aafbe1c_6235f1a8-eaa3-4c7a-a937-e0178dcf0a3f\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3b1ee01e6e6a552eb3f6b99786c786b0c8ec181_3aafbe1c_72469813-e283-4fce-8b45-4d1ed0110b0e\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3b1ee01e6e6a552eb3f6b99786c786b0c8ec181_3aafbe1c_e399e4df-df4b-402c-8d04-d827c46b0fdd\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3b1ee01e6e6a552eb3f6b99786c786b0c8ec181_3aafbe1c_fd57a539-133a-4b4b-9e3d-23c4fb226572\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_4ae234de8f939132ac9416fcbaba6e3171b928a6_3aafbe1c_c0102fc4-fda2-4d08-8dc1-b11d28054b30\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_a455d2dc16ddc59dc025e53de7238c64ae79f0e5_3aafbe1c_c0fb8f11-2a05-4d8e-aa9e-c3816a9fa8f8\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_da60af89a9fee28cf7d277ee3641e37315f7f8e_3aafbe1c_00c911f6-5e77-4bda-a691-ffd6c73862b1\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66C9.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:03 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6776.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6796.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6969.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:04 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69C8.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A27.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C19.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:05 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C87.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CD6.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER70BC.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:06 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER712A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER715A.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER730E.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:07 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER737C.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER73CB.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER75CD.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:07 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER767A.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76B9.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76E.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:45 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB09.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB49.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC09C.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:09:32 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2B1.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC30F.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD69.tmp.dmp

Mini DuMP crash report, 14 streams, Tue Oct 8 08:08:46 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD8.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF8.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\download[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\name[1].htm

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\key[1].htm

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\fuckingdllENCR[1].dll

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\add[1].htm

very short file (no magic)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\download[1].htm

very short file (no magic)

dropped

C:\Users\user\Desktop\Cleaner.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Icon number=0, Archive, ctime=Tue Oct 8 07:08:44 2024, mtime=Tue Oct 8 07:08:44 2024, atime=Tue Oct 8 07:08:44 2024, length=1502720, window=hide

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 39 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.W32.Kryptik.LKE.gen.Eldorado.17641.17677.exe

"C:\Users\user\Desktop\SecuriteInfo.com.W32.Kryptik.LKE.gen.Eldorado.17641.17677.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1540

URLs

Name

Malicious

http://80.66.75.114/files/downloadw

unknown

http://80.66.75.114/soft/download9

unknown

http://80.66.75.114/files/downloadu

unknown

http://80.66.75.114/dll/key

80.66.75.114

http://80.66.75.114/files/download3

unknown

http://80.66.75.114/dll/downloadxA

unknown

http://80.66.75.114/files/download?

unknown

http://80.66.75.114/files/download

80.66.75.114

http://80.66.75.114/files/download4/files/download

unknown

http://80.66.75.114/files/download9

unknown

http://80.66.75.114/namem7n

unknown

http://upx.sf.net

unknown

http://80.66.75.114/files/downloadZv

unknown

http://80.66.75.114/soft/downloadE

unknown

http://80.66.75.114/soft/download

80.66.75.114

http://80.66.75.114/name

80.66.75.114

http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174

unknown

http://80.66.75.114/files/download4/files/downloadE

unknown

http://80.66.75.114/nameQ?

unknown

http://80.66.75.114/files/downloadLMEM

unknown

http://80.66.75.114/name=7

unknown

http://80.66.75.114/files/downloadQ

unknown

http://80.66.75.114/files/download4/files/downloadu

unknown

http://80.66.75.114/soft/downloadQ

unknown

http://80.66.75.114/dll/download

80.66.75.114

https://g-cleanit.hk

unknown

http://80.66.75.114/name-6.

unknown

http://80.66.75.114/files/downloadE

unknown

http://80.66.75.114/files/downloadA

unknown

http://80.66.75.114/dll/keym7n

unknown

http://80.66.75.114/soft/download14/soft/download

unknown

http://80.66.75.114/add?substr=mixnine&s=three&sub=NOSUB

80.66.75.114

http://80.66.75.114/add?substr=mixnine&s=three&sub=NOSUBK

unknown

http://80.66.75.114/files/downloadData

unknown

https://iplogger.org/1Pz8p7

unknown

http://80.66.75.114/files/downloadtem32

unknown

There are 26 hidden URLs, click here to show them.

IPs

Domain

Country

Malicious

80.66.75.114

unknown

Russian Federation

Details

IP:	80.66.75.114
TargetID:	0
Current Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Kryptik.LKE.gen.Eldorado.17641.17677.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	20803
ASN name:	RISS-ASRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking