PUA_ADKRYP

This potentially unwanted application may arrive bundled with malware packages as a malware component. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain websites to send and receive information.

Arrival Details

This potentially unwanted application may arrive bundled with malware packages as a malware component.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Download Routine

This potentially unwanted application saves the files it downloads using the following names:

• %User Temp%\{GUID}
  
  The file is archive containing containing files that are extracted and executed. The file downloaded varies from URL response. If extracted, it normally contains the following:
  
  • conf.json
  • CrashReport.dll
  • {filename 1}.exe
  • {filename 2}.dll
  • {filename 3}.dll
  • launcher.dll
  • Release.dll

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Other Details

This potentially unwanted application connects to the following website to send and receive information:

• http://www.{BLOCKED}x.com//search/z.php
• http://{random subdomain}.cloudfront.net/{random path}?{random values}