# Virus

## W32/GenKryptik.AVXR!tr

### Analysis

W32/GenKryptik.AVXR!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.AVXR!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
• %AppData%\[Random]\[Random].exe : This file is detected as W32/GenKryptik.AVXR!tr.
• %AppData%\[Random]\[Random].lck : This is a data file.
• %AppData%\lesrss.dat : This file is a text file.
• %AppData%\pid.txt : This file is a text file.
• %AppData%\pidloc.txt : This file is a text file.
• %AppData%\remcos\remcos.exe : This file is a copy of the original malware itself.
• %AppData%\subfolder\filename.exe : This file is detected as W32/GenKryptik.AVXR!tr.
• %AppData%\subfolder\rfgfcwsxf.exe : This file is detected as W32/GenKryptik.AVXR!tr.
• %StartUp%\filename.vbe : This file is a text file.
• %StartUp%\rfgfcwsxf.vbe : This file is a text file.
• %Temp%\install.vbs : This is a small VBS script that intends to run remcos.exe.

• This malware may connect to any of the following remote sites(s):
• bizlen{Removed}.usa.cc
• lokpanel{Removed}.info

• This malware may apply any of the following registry modification(s):
• HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
• Remcos = %AppData%\remcos\remcos.exe
This automatically executes the dropped file every time the infected user logs on.

• Some instances of this malware may have code injection capabilities.

### Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.