PUADlManager:Win32/Snackarcin is a detection of Microsoft Defender that flags an unwanted program that is capable of downloading other unwanted programs. This, in turn, makes it pretty dangerous, at least from the user experience perspective. Ignoring it can end up with the system being cluttered with unwanted programs.
Unwanted programs like Snackarcin are usually less dangerous than malware, though I wouldn’t recommend ignoring them. Since it can deploy other unwanted programs, it all gains cumulative effect, turning the system into a mess. Moreover, apps that this PUA installs may install other unwanted programs on their own, proliferating like bunnies.
What is PUADlManager:Win32/Snackarcin?
PUADLManager:Win32/Snackarcin is a detection name that Microsoft Defender uses to flag a downloader of unwanted programs. Usually, it is an installer of a program that contains a specific code, which makes it connect to a remote server and download other programs. The abbreviation “PUADl” at the beginning of the detection name is, in fact, self-explanatory: Potentially Unwanted Program Downloading Manager.
Among other detections of this type, Snackarcin stands out by the type of a program that carries the said code. According to the user reports, this detection appears on mods or mod engines for Minecraft, downloaded from a third party website. Although completely safe by design, they were modified by a person who uploaded it. This, exactly, is what Microsoft Defender is not happy about. The range of the unwanted programs it can install is vast, I will show my tests later on.
The said mods and mod engines are not the only possible program type that backs the PUADlManager:Win32/Snackarcin. Review of the actual samples show quite a few shady utilities that contain bundler code. Visual tweakers for Windows, screen time control tools, system optimizers – they always were less than trustworthy.
PUADlManager:Win32/Snackarcin Runtime Analysis
To have a better understanding of what Snackarcin is, I run a sample on a virtual machine. It appears to have only a few visible signs that something phishy is going on: the installer had no “usual” windows, and asked to install 7-zip at the end. However, shortly after, the obvious issues appeared.
Without a single notification from the installer, it injected Tesla Browser, a known adware-like rogue browser, and a PC App Store. The latter tries to look like what it sounds, but is in fact akin to adware, that adds promotions to system windows. Both of them are particularly obtrusive in their presence: starting with the system, notifications that pop on top of all apps, the default browser changed to Tesla, and so on. This, however, is not the complete list of unpleasant things Snackarcin is capable of.
To target the bundled programs, PUADLManager:Win32/Snackarcin collects basic system information. This is represented in its activity logs: the installer accesses the registry keys and system config files:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
C:\Windows\System32\WinTypes.dll
This provides Snackarcin with the information about the system version and location, which most likely defines what kind of unwanted apps will it install. Having this data, the bundler connects to the command server (C2) and retrieves the PUAs. C2 addresses are usually built into each sample.
TCP 20.99.186.246:443
TCP 192.229.211.108:80
TCP 23.216.147.64:443
One thing that looks disturbing to me is the occasional usage of command line calls to svchost.exe and wuapihost.exe. These two system processes are capable of hosting the execution of other apps, and, what’s more important, DLLs. For that reason, they are often exploited by dropper malware, particularly for launching injected malware that has a form of a DLL file. Considering the aforementioned networking behavior, nothing stops Snackarcin from acting as a makeshift dropper malware.
C:\Windows\System32\wuapihost.exe -Embedding
C:\Windows\System32\svchost.exe
How to remove PUADlManager:Win32/Snackarcin?
I recommend using GridinSoft Anti-Malware to remove PUADLManager:Win32/Snackarcin. As you could have seen from the analysis above, it does quite a lot of changes in the system, and may install pretty much any other programs or even malware. That’s why a dedicated malware removal utility is pretty much a must.
Download and install GridinSoft Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click “Advanced mode” and see the options in the drop-down menus. You can also see extended information about each detection – malware type, effects and potential source of infection.
Click “Clean Now” to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
