Trojan.Kryptik.XXCY
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 2,066 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 257 |
| First Seen: | May 5, 2026 |
| Last Seen: | May 15, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Kryptik.XXCY |
|---|---|
| Signature status: | Modified signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
168defcb2cd7d4e104ebee222ddb0c25
SHA1:
7520dfcc8b953a56cbf330f0a6f124d25a7d5489
SHA256:
23EEB2F96DA17EFC65E263FCDB74579242CEB9BF69FD29DA4351A14E3D1152DE
File Size:
1.66 MB, 1664512 bytes
|
|
MD5:
903c18603af585443b7e2ff26add644e
SHA1:
f451b492bbd3e43f4f2bd2bc408f34e19520dc41
SHA256:
D50BCD82F84247D4DDEAE5C8ED33C6CBAC02EE357FE1113E1FEF0384D44508F7
File Size:
1.92 MB, 1921552 bytes
|
|
MD5:
742e11608cf077e7c01d62dc4d7ba5af
SHA1:
ecc73f18caf762033dae580995ec4a54b779dd08
SHA256:
FB06129E2E91B5C9C789B3656A84426EB5078F8ACCC498D24599A5727440295E
File Size:
1.62 MB, 1616384 bytes
|
|
MD5:
9e98f4c0311e87b6106389a9f058a55b
SHA1:
bfd632e5834e5acfa0a7a97cdc7fdb2dbae95f92
SHA256:
51E9A04CEE295D5028E5472E017D2DBDCA2633C840F32501433857CDB1ED227D
File Size:
1.55 MB, 1551872 bytes
|
|
MD5:
49fe2184075e5cc503ff17308296237c
SHA1:
52d343b8f2b999a8fafa273e6a192d7c48d66177
SHA256:
934931C2D348203B7E1A511587F02DFE84F8F2FF8EE977F8112C4CFE934EB482
File Size:
1.88 MB, 1883232 bytes
|
Show More
|
MD5:
468b5dd7646535684858c867f33ddd2a
SHA1:
351d7a70edb08c7538224ac193b5f46935894108
SHA256:
754D9E199143D0D9E6F3F861CEC2FD2F9696ED2F997A888F2301D15746F4D20C
File Size:
1.88 MB, 1876992 bytes
|
|
MD5:
6be859e3398823f103000dbfcc814bbb
SHA1:
b131a522d3bb24d8b37ef023080327f5ab0e9652
SHA256:
65E291AF4CDC173C88BCF08BEBD42E0CFB21A81F1C035CB46F8FF8DD11729235
File Size:
1.37 MB, 1369316 bytes
|
|
MD5:
1316c447ae46ed03b08d8d96d32efadb
SHA1:
6050f90bfa052e79377c117878daa4cb6e3c1dad
SHA256:
C863B15F94000B6CB87697628A7D8E30859AA557CF8F139364C1A20327D528FE
File Size:
1.34 MB, 1337344 bytes
|
|
MD5:
445863a6465571906beed5a4149d36ec
SHA1:
f824915f790260a40ac05a9eb3ba2cba7230c707
SHA256:
4B5858A2F2A4FE77396786D3161F03CD08BFDA9B9860DE9C8808609B118D6E58
File Size:
1.86 MB, 1861136 bytes
|
|
MD5:
f38f380537918a47da4ff08c2bc894e5
SHA1:
586742cf91d0edecd531cffbc70cab5123b8d668
SHA256:
8A7C27F4B334E1386D3AD566AA1C6D6EC90285629E363998E8359D2ED323A4F0
File Size:
1.37 MB, 1371692 bytes
|
|
MD5:
9fde0ed3f9218a3a845e603eb15911c5
SHA1:
f98b249af128802ce5684deaf6d2d980fe2fc45b
SHA256:
713D70CB5D1FBE517947167513F1EB673514BF2785F84527FF583E74FA526F70
File Size:
1.44 MB, 1443320 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Show More
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| Company Short Name | YANDEX LLC |
| File Description |
|
| File Version |
|
| Internal Name |
|
| Last Change | 2c766308734776dfc7fb6e01e7128b25332bca0f |
| Legal Copyright |
|
| Official Build | 1 |
| Original Filename | drivers.exe |
| Product Chromium Version | 74.0.3729.169 |
| Product Name |
|
| Product Short Name | Yandex Installer |
| Product Version |
|
| Product Yandex Version | 19.6.0.1574 |
| Source Control I D |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| YANDEX LLC | GlobalSign CodeSigning CA - G3 | Self Signed |
| Yandex LLC | GlobalSign Extended Validation CodeSigning CA - SHA256 - G3 | Self Signed |
File Traits
- 2+ executable sections
- big overlay
- fptable
- HighEntropy
- Installer Version
- No Version Info
- packed
- upx
- x86
Files Modified
Files Modified
This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.| File | Attributes |
|---|---|
| \device\namedpipe\crashpad_8144_jahqzzrcpteoblci | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| \device\namedpipe\crashpad_8144_jahqzzrcpteoblci | Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288 |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\local\programs\opera | Read Attributes,Synchronize,Write Data |
| c:\users\user\appdata\local\temp\brandfile | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\clids.xml | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\clids_searchband.xml | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\distrib_info | Generic Write,Read Attributes |
Show More
| c:\users\user\appdata\local\temp\lite_installer.log | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\master_preferences | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\opera installer\f451b492bbd3e43f4f2bd2bc408f34e19520dc41_0001921552 | Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144 |
| c:\users\user\appdata\local\temp\opera installer\opera_installer_20260505074055481.log | Read Attributes,Synchronize,Append data |
| c:\users\user\appdata\local\temp\opera_installer_2605051440547788144.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\opera_installer_2605051440550751900.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\opera_installer_2605051440553566180.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\opera_installer_2605051440557163296.dll | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\opera_installer_ui.lck | Generic Write,Read Attributes,Delete |
| c:\users\user\appdata\local\temp\partnerfile | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\website.ico | Generic Write,Read Attributes |
| c:\users\user\appdata\local\temp\yb916a.tmp | Generic Write,Read Attributes |
| c:\users\user\appdata\roaming\opera software\opera stable\crash reports\metadata | Generic Read,Write Data,Write Attributes,Write extended,Append data |
| c:\users\user\appdata\roaming\opera software\opera stable\crash reports\settings.dat | Generic Read,Write Data,Write Attributes,Write extended,Append data |
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKCU\software\yandex\yandexbrowser::distribinfoparams | win10pin=1&vup=1&browser=OperaChrome/64/107.0.0.0&banerid=6400000000:65e5b024659e8548da036194&yandexuid=3041530851709551650&mong | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::lang | en | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::installerdata | C:\Users\Xfzofcsm\AppData\Local\Temp\master_preferences | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::clidsfile | C:\Users\Xfzofcsm\AppData\Local\Temp\clids.xml | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::clidssearchbandfile | C:\Users\Xfzofcsm\AppData\Local\Temp\clids_searchband.xml | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::yandexwebsiteiconfile | C:\Users\Xfzofcsm\AppData\Local\Temp\website.ico | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::brand | int | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::brandfile | C:\Users\Xfzofcsm\AppData\Local\Temp\BrandFile | RegNtPreCreateKey |
| HKCU\software\yandex\yandexbrowser::partnerfile | C:\Users\Xfzofcsm\AppData\Local\Temp\PartnerFile | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| User Data Access |
|
| Anti Debug |
|
| Process Manipulation Evasion |
|
| Process Shell Execute |
|
| Network Wininet |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
"c:\users\user\downloads\f451b492bbd3e43f4f2bd2bc408f34e19520dc41_0001921552" --crash-reporter-parent-id=8144
|
c:\users\user\downloads\f451b492bbd3e43f4f2bd2bc408f34e19520dc41_0001921552 c:\users\user\downloads\f451b492bbd3e43f4f2bd2bc408f34e19520dc41_0001921552 --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Kauhmjmt\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Kauhmjmt\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=56.0.3051.36 --initial-client-data=0x2b0,0x2ec,0x2e0,0x2b4,0x2f0,0x7412f360,0x7412f370,0x7412f37c
|
"C:\Users\Kauhmjmt\AppData\Local\Temp\Opera Installer\f451b492bbd3e43f4f2bd2bc408f34e19520dc41_0001921552" --version
|
