user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Adware:Win32/Tnega
Adware:Win32/Tnega - Windows Defender threat signature analysis

Adware:Win32/Tnega - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Adware:Win32/Tnega
Classification:
Type:Adware
Platform:Win32
Family:Tnega
Detection Type:Concrete
Known malware family with identified signatures
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Adware - Displays unwanted advertisements for 32-bit Windows platform, family Tnega

Summary:

Adware:Win32/Tnega is a concrete detection indicating a persistent adware threat. It utilizes scripting capabilities, likely from malicious documents, to download additional components from external domains and establish persistence by dropping files such as 'wsdts.db' or 'onenote.db' into user AppData directories. This allows it to display unwanted advertisements, potentially alter system settings, and collect user information.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - https://cdn.jsd (PEHSTR_EXT)
 - gh/i87924hgHd (PEHSTR_EXT)
 - y/bboxfu<', 'that3.e (PEHSTR_EXT)
 - CreateObject("WScript.Shell") (MACROHSTR_EXT)
 - //smartscreentestratings2.net/ (MACROHSTR_EXT)
 - .exe (MACROHSTR_EXT)
 - https: (MACROHSTR_EXT)
 - .Run CreateObject("Scripting.FileSystemObject"). (MACROHSTR_EXT)
 - .exe" (MACROHSTR_EXT)
 - CreateObject("Scripting.FileSystemObject").FileExists(szFile) (MACROHSTR_EXT)
 - Set oNode = oXML.CreateElement("base64") (MACROHSTR_EXT)
 - = Environ("UserProfile") & "\AppData\Local\Microsoft\Notice (MACROHSTR_EXT)
 - dllPath = workDir & "\" & binName (MACROHSTR_EXT)
 - binName = "wsdts.db (MACROHSTR_EXT)
 - = ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
 - = curDocName & " .docx" (MACROHSTR_EXT)
 - workDir = Environ("UserProfile") & "\AppData\Local\Microsoft\OneNote" (MACROHSTR_EXT)
 - dllPath = workDir & "\onenote.db" (MACROHSTR_EXT)
 - Dm = "http://craghoppers.icu/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
 - Dm = "http://moveis-schuster-com.ga/Order.jpg|||msxml2.xmlhttp (MACROHSTR_EXT)
 - Set xmlHttp = CreateObject(VB) (MACROHSTR_EXT)
 - .Open "get", strURL (MACROHSTR_EXT)
 - + "objShell.Run Base64Decode(" (MACROHSTR_EXT)
 - = "C:\Windows\System32\w" + "script" + ".exe " (MACROHSTR_EXT)
 - "WScript." + "She" + "ll" (MACROHSTR_EXT)
 - + "." + "v" (MACROHSTR_EXT)
 - GetDllName = "C:\ProgramData\desktop.dat" (MACROHSTR_EXT)
 - .CreateElement("base64") (MACROHSTR_EXT)
 - ActiveDocument.Path & "\" & ActiveDocument.Name (MACROHSTR_EXT)
 - , ".") - 1) (MACROHSTR_EXT)
 - CreateObject("Word.Application") (MACROHSTR_EXT)
 - viebobpspa_autologon_admin.bat (PEHSTR_EXT)
 - autologon.exe !viebobpspa EU odeA5SvxTzsDa7kwqDq6K6Xr8Bukha -accepteula (PEHSTR_EXT)
 - net localgroup administrators eu\!viebobpspa /add (PEHSTR_EXT)
 - C:\TEMP\2890.tmp\viebobpspa_autologon_admin.bat (PEHSTR_EXT)
 - System.Runtime.InteropServices (PEHSTR_EXT)
 - System.Runtime.CompilerServices (PEHSTR_EXT)
 - System.Resources (PEHSTR_EXT)
 - CowsAndBulls.GameForm.resources (PEHSTR_EXT)
 - CowsAndBulls.HighScoresForm.resources (PEHSTR_EXT)
 - CowsAndBulls.MainMenuForm.resources (PEHSTR_EXT)
 - CowsAndBulls.Properties.Resources.resources (PEHSTR_EXT)
 - cmd.exe /c powershell.exe -windowstyle hidden Sleep 5 (PEHSTR_EXT)
 - GetCommandLineW (PEHSTR_EXT)
 - TOKEN_STEALER_CREATOR.Properties (PEHSTR_EXT)
 - ItroublveTSC\bin_copy\obj\Debug (PEHSTR_EXT)
 - 4S;/M (SNID)
 - ApplyRequest.dll (PEHSTR)
 - ScriptDDL (PEHSTR)
 - _lstStatusExec (PEHSTR)
 - _reqScript (PEHSTR)
 - ExecuteAllSteps (PEHSTR)
 - SendProgressExec (PEHSTR)
 - GerarScriptsDrop (PEHSTR)
 - GetListReplaceDll (PEHSTR)
 - lblcomputadorresponsavel (PEHSTR)
 - DgFqNyZD2NcjS7p60JGMch18mc8g (PEHSTR_EXT)
 - RESUTILS.dll (PEHSTR)
 - RPCRT4.dll (PEHSTR)
 - wsnmp32.dll (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTL (PEHSTR)
 - sqlite3.dll (PEHSTR)
 - /C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR)
 - _acmdln (PEHSTR)
 - __p__commode (PEHSTR)
 - /uke3 (SNID)
 - 99`\, (SNID)
 - TankGame.My.Resources (PEHSTR_EXT)
 - TankGame.Game.resources (PEHSTR_EXT)
 - TankGame.MainForm.resources (PEHSTR_EXT)
 - TankGame.StartUp.resources (PEHSTR_EXT)
 - TankGame.Resources.resources (PEHSTR_EXT)
 - TankGame.MultipleBlocks.resources (PEHSTR_EXT)
 - TankGame.InGameOptions.resources (PEHSTR_EXT)
 - TankGame.QuickStart.resources (PEHSTR_EXT)
 - C:\ProgramData\Avast Software\Avast\aswResp.dat (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\CPM (PEHSTR_EXT)
 - _acmdln (PEHSTR_EXT)
 - __p__commode (PEHSTR_EXT)
 - sqlite3.dll (PEHSTR_EXT)
 - \VersionIndependentProgID (PEHSTR_EXT)
 - DefenderCSP.dll (PEHSTR_EXT)
 - 3yD`. (SNID)
 - bcrypt.dll (PEHSTR_EXT)
 - zeeLog.txt (PEHSTR_EXT)
 - Interfaces.ShellExtension.JumpList (PEHSTR_EXT)
 - file.dat (PEHSTR_EXT)
 - ShellExecuteW (PEHSTR_EXT)
 - Task24Main.pdb (PEHSTR_EXT)
 - HttpWebResponse (PEHSTR_EXT)
 - CellManager.g.resources (PEHSTR_EXT)
 - CellManager.exe (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - XRails.Controls (PEHSTR_EXT)
 - TwiceSlicePanel.UI (PEHSTR_EXT)
 - Client.Connection (PEHSTR_EXT)
 - \7AAAAAAAAAAAAAA (PEHSTR_EXT)
 - ppphhyf.exe (PEHSTR_EXT)
 - dKO:. (SNID)
 - Oc\p! (SNID)
 - powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath (PEHSTR_EXT)
 - report_error.php?key=125478824515ADNxu2ccbwe&msg=No-Exes-Found-To-Run (PEHSTR_EXT)
 - http://sornx.xyz (PEHSTR_EXT)
 - myip.php (PEHSTR_EXT)
 - addInstall.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
 - addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=12 (PEHSTR_EXT)
 - Cadave.pdb (PEHSTR_EXT)
 - Top1Mu.Net (PEHSTR_EXT)
 - Data/Logo/System.pro (PEHSTR_EXT)
 - Release\Main.pdb (PEHSTR_EXT)
 - OhTTij5lmnomlkjst\Xuh (PEHSTR_EXT)
 - $I3\$ (PEHSTR_EXT)
 - \payloaddll\Release\cmd.pdb (PEHSTR_EXT)
 - ME_ADAudit.exe (PEHSTR_EXT)
 - https://cdn.discordapp.com/attachments/895494963515772931/895591057251762186/test_2.dll (PEHSTR_EXT)
 - D:\OneDrive\Projects\OneDriveTimer\OneDriveTimerUI\obj\Release\OneDriveTimerUI.pdb (PEHSTR_EXT)
 - OneDriveTimerUI.Properties.Resources (PEHSTR_EXT)
 - CenterToScreen (PEHSTR_EXT)
 - SetThreadExecutionState (PEHSTR_EXT)
 - @Uj/<[]t (SNID)
 - MtgKERNEL32.dll (PEHSTR_EXT)
 - DonWS2_32.dll (PEHSTR_EXT)
 - Zu8K{. (SNID)
 - www.Yanjie.com (PEHSTR_EXT)
 - http://101.35.18.254/444.exe (PEHSTR_EXT)
 - \111.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - C:\ProgramData\444.exe (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - D$,lExe (PEHSTR_EXT)
 - q</2nK*>De!'7p/V (PEHSTR_EXT)
 - JoinDomain.exe (PEHSTR_EXT)
 - Software\ASProtect\Key (PEHSTR_EXT)
 - aspr_keys.ini (PEHSTR_EXT)
 - WkBycm9qZ2VxbGloSWZlbVQlKlFdbn5/ZGJgUyMvHRpKIzwnJTN2YXx5cjYnJDYpLkQ2OkBaeHF0c3dta21BVE5Tfww= (PEHSTR_EXT)
 - powershell wget https://bit.ly/3uNrtcg -O pin.txt (PEHSTR_EXT)
 - DownloadString('https://bit.ly/3uLJ706') (PEHSTR_EXT)
 - /home/keith/builds/mingw/gcc-9.2.0-mingw32-cross-native/mingw32/libgcc (PEHSTR_EXT)
 - 3<$1<$3<$\ (PEHSTR_EXT)
 - Dr4Zaap3qgP4pRB4NWbs9NQuRWalMrMG1AUda1mSG6I5n7u1nNriGo3RF0+Z/lfgeMNzjv46nK1VAIz9QXZ+VfgNxpd (PEHSTR_EXT)
 - tOH82ARnxdnufgODepMgEFCePdFSF4aj26l6HYbXlsnhvCh/NaRIPs+LM/BZtNDSNWyzOq2I4Xdho6ao= (PEHSTR_EXT)
 - +n51hDmYO9yaWP1yiFGAdu/cEvP8ojbpxBqFHzn7xvH (PEHSTR_EXT)
 - InitializeComponent (PEHSTR_EXT)
 - quanlykho.Properties (PEHSTR_EXT)
 - <Y\k` (SNID)
 - ogd368hc.dll (PEHSTR_EXT)
 - My.MyProject.Forms (PEHSTR)
 - C:\workspace\mudfix\attach\screen_block\general\obj\Release\general.pdb (PEHSTR_EXT)
 - wmiccomputersystemgetmodelFailed (PEHSTR_EXT)
 - http://xianggrhen.com/composure/ (PEHSTR_EXT)
 - FileManager.Form01.resources (PEHSTR_EXT)
 - CSVProject.Properties (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: envchk.exe
a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df
05/05/2026
VirusTotalDownload Sample
Filename: vsdbg.dll
626bd326166a382fb884601da5e74b2e4cb299f4cb9c0059928b2f8ca439686f
02/04/2026
VirusTotalDownload Sample
Filename: caaservices.exe
f0eff94e8ed95c8ccb19decb14f7edcf036830502745ec47fd64152e8b6e42b9
31/01/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the infected system immediately. Perform a full scan with updated antivirus software to remove all detected threat components. Manually verify and remove any dropped files in user AppData directories and persistence mechanisms. Block associated malicious URLs at the network perimeter.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 31/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$