Adware Reports malware removal guides and threat research Updated security instructions for Windows users
Home/Malware
Threat report

Win32/Kryptik.HMMM removal

Published Sep 25, 2021 Malware category 3 min read
Report context

What to verify before removal

This report keeps Win32/Kryptik.HMMM removal in the active library because the detection has enough technical context to support a careful second-opinion scan and cleanup decision.

The technical section is meant to connect the detection name with observable evidence such as persistence entries, dropped files, unusual processes, and browser or network changes. Compare the identifiers here with the local file before deleting anything, then use the cleanup workflow to scan, quarantine, and verify the system state.

  • Confirm the detection name matches Win32/Kryptik.HMMM removal before removing related files.
  • Review the report for persistence entries, dropped files, unusual processes, and browser or network changes so the cleanup is based on observed behavior, not only the label.
  • Run a full scan, quarantine confirmed detections, and restart before signing back in to sensitive accounts.

The Win32/Kryptik.HMMM is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

What Win32/Kryptik.HMMM virus can do?

  • Executable code extraction
  • Injection (inter-process)
  • Injection (Process Hollowing)
  • Creates RWX memory
  • A process attempted to delay the analysis task.
  • A process created a hidden window
  • Drops a binary and executes it
  • Performs some HTTP requests
  • Unconventionial language used in binary resources: Uzbek (Latin)
  • The binary likely contains encrypted or compressed data.
  • Executed a process and injected code into it, probably while unpacking
  • Network activity contains more than one unique useragent.
  • Installs itself for autorun at Windows startup
  • Writes a potential ransom message to disk
  • Attempts to modify proxy settings
  • Creates a copy of itself
  • Anomalous binary characteristics
  • Uses suspicious command line tools or Windows utilities

Related domains:

z.whorecord.xyz
api.2ip.ua
a.tomx.xyz
securebiz.org
tbpws.top
mas.to

How to determine Win32/Kryptik.HMMM?



File Info:

crc32: D52DDD14
md5: 4e47b49944b7ddc0fa4ee4e0ee7b454d
name: 4E47B49944B7DDC0FA4EE4E0EE7B454D.mlw
sha1: 5bdd8f07800e230bafb154775cb9015cff4b64fd
sha256: b745b1a05ea601deb736ca97b135132cab7fe3c50670e6b1f7837a0fe79689c8
sha512: 7f827a664199a62c5a527dd814dc660a56b4897993d9646f045adde1c6e818843c3bb5825fd769f85a6cd1b97f80c0e46b46fb5fed335b7ef749c801e669f26d
ssdeep: 12288:pqbQSxOWZVMxluWipVE9RcyBQqBQHcLyY1JaVlpJDyP1cSAILwcH3xJRt:KQ1WZiCWiba+mB9R8VlpJDy6SF0cXxJ
type: PE32 executable (GUI) Intel 80386, for MS Windows


Version Info:

InternalName: sojbmoemonu.uhe
ProductVersion: 8.19.590.38
Copyright: Copyrighz (C) 2021, fudkagata
Translation: 0x0129 0x0167

Win32/Kryptik.HMMM also known as:

K7AntiVirus Trojan ( 0058273e1 )
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
CAT-QuickHeal Ransom.Stop.P5
ALYac Gen:Variant.Fragtor.20416
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
K7GW Trojan ( 0058273e1 )
Cyren W32/Kryptik.EWJ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Kryptik.HMMM
APEX Malicious
Avast Win32:DropperX-gen [Drp]
ClamAV Win.Packed.Fragtor-9893009-0
Kaspersky HEUR:Trojan-Ransom.Win32.Stop.gen
BitDefender Gen:Variant.Fragtor.20416
MicroWorld-eScan Gen:Variant.Fragtor.20416
Ad-Aware Gen:Variant.Fragtor.20416
Sophos ML/PE-A + Troj/Krypt-BO
BitDefenderTheta Gen:NN.ZexaF.34170.Tq0@aKUK1UeG
McAfee-GW-Edition BehavesLike.Win32.Generic.bc
FireEye Generic.mg.4e47b49944b7ddc0
Emsisoft Trojan.Crypt (A)
Microsoft Ransom:Win32/StopCrypt.MBK!MTB
Gridinsoft Ransom.Win32.STOP.ko!se35367
GData Gen:Variant.Fragtor.20416
AhnLab-V3 Trojan/Win.MalPE.R441518
McAfee Packed-GDT!4E47B49944B7
MAX malware (ai score=80)
VBA32 BScope.Backdoor.Androm
Malwarebytes Trojan.Downloader
Panda Trj/GdSda.A
Rising Trojan.Kryptik!1.D977 (CLASSIC)
SentinelOne Static AI – Malicious PE
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Packed.GDT!tr
AVG Win32:DropperX-gen [Drp]

How to remove Win32/Kryptik.HMMM?

Recommended second-opinion scan

Verify the infection before changing system settings

Use GridinSoft Anti-Malware to run a full scan, review detected persistence entries, and quarantine confirmed threats before restarting Windows.

Download GridinSoft Anti-Malware
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.