home

krymqmqxufnk

DataMon

In solutions doo

The file krymqmqxufnk by In solutions doo has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘NetCtl’. The file has been seen being downloaded from s3.amazonaws.com. While running, it connects to the Internet address know-sspiprxy-vip.network.virginmedia.net on port 80 using the HTTP protocol.
Publisher:
World Computing  (signed by In solutions doo)

Product:
DataMon

Description:
Data usage

Version:
1.0.3.19

MD5:
973f426196675a9d98209692b8006d61

SHA-1:
bf90a55000debd5c5b46fc8596f5e34de3b7076a

SHA-256:
b6ac032cb8026b4633cf88f70d1e2e6d5a1e3dd813c59df6c3101b2af16159a9

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/6/2024 3:36:23 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Adware.Dropper (M)
17.2.10.20

File size:
2.7 MB (2,790,208 bytes)

Product version:
1.0.3.19

Copyright:
Copyright World Computing(C) 2017

Original file name:
DataMon.exe

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\krymqmqxufnk

Digital Signature
Signed by:
In solutions doo

Authority:
DigiCert Inc

Valid from:
11/23/2016 12:00:00 AM

Valid to:
11/28/2017 12:00:00 PM

Subject:
CN="""In solutions"" doo", O="""In solutions"" doo", L=Inđija, C=RS

Issuer:
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:
0FE5BA5D63EF0CB81C25046163E24AF2

File PE Metadata
Compilation timestamp:
2/10/2017 4:29:55 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x46204

Entry point:
E8, B5, 04, 01, 00, E9, 00, 00, 00, 00, 6A, 14, 68, A0, 36, 49, 00, E8, 96, 45, 00, 00, E8, B1, 26, 00, 00, 0F, B7, F0, 6A, 02, E8, 45, AF, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 0B, 47, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.5342

Code size:
502.5 KB (514,560 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
NetCtl

Command:
C:\users\{user}\appdata\roaming\netctl\netctl.exe


The file krymqmqxufnk has been seen being distributed by the following URL.

https://s3.amazonaws.com/00bandwidthstat/.../inter_silent.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to static.25.22.243.136.clients.your-server.de  (136.243.22.25:80)

TCP (HTTP):
Connects to know-sspiprxy-vip.network.virginmedia.net  (62.252.172.241:80)

Remove krymqmqxufnk - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.