Trojan:JS/GuLoader!rfn - ThreatCheck.sh

user@threatcheck.sh ~ threat-analysis

bash

$ analyze-threat Trojan:JS/GuLoader!rfn

Trojan:JS/GuLoader!rfn - Windows Defender threat signature analysis

$ cat analysis.txt

=== THREAT ANALYSIS REPORT ===

Threat Name: Trojan:JS/GuLoader!rfn

Classification:

Type:Trojan

Platform:JS

Family:GuLoader

Detection Type:Concrete

Known malware family with identified signatures

Suffix:!rfn

Specific ransomware family name

Confidence:Very High

False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for JavaScript platform, family GuLoader

Summary:

This is a concrete detection of Trojan:JS/GuLoader, a JavaScript-based downloader. It attempts to fetch and execute additional malicious payloads from external URLs, modify system files, and potentially establish persistence, leading to further system compromise.

Severity:

High

VDM Static Detection:

Relevant strings associated with this threat:
 - MSVBVM60.DLL (PEHSTR_EXT)
 - exe" -Destination (MACROHSTR_EXT)
 - ('.'+'/sw"&CHAR(46)&"exe')") (MACROHSTR_EXT)
 - ttps://tinyurl.com/y5dsc4ag (MACROHSTR_EXT)
 - Urinvejssygdommenes.Sig (PEHSTR_EXT)
 - Uninstall\Eliderede (PEHSTR_EXT)
 - Ablatives\Eyesight.ini (PEHSTR_EXT)
 - Software\Spionkameraet (PEHSTR_EXT)
 - entohyal spaulder.exe (PEHSTR_EXT)
 - UY.kO}s' (SNID)
 - fllesbrn.txt (PEHSTR_EXT)
 - Yderredens102.Kan (PEHSTR_EXT)
 - blinkenberg.txt (PEHSTR_EXT)
 - civilisable\Enterococci143 (PEHSTR_EXT)
 - mesalliancers\Seksaaringen (PEHSTR_EXT)
 - chego\reverensens (PEHSTR_EXT)
 - Scripting.FileSystemObject (PEHSTR_EXT)
 - \flKknkUR6B3JMPQjtG45 (PEHSTR_EXT)
 - Uninstall\PDF_Reader (PEHSTR_EXT)
 - CreateFileMappingA(i r5, i 0, i 0x40, i 0, i 0, i 0)i.r4 (PEHSTR_EXT)
 - vbsedit.txt (PEHSTR_EXT)
 - SetSecurityDescriptorDacl (PEHSTR_EXT)
 - ExecToLog (PEHSTR_EXT)
 - ShellExecuteExW (PEHSTR_EXT)
 - beam_r.cur (PEHSTR_EXT)
 - beam_rl.cur (PEHSTR_EXT)
 - busy.svg (PEHSTR_EXT)
 - system.ini (PEHSTR_EXT)
 - \something.ini (PEHSTR_EXT)
 - kernel32.dll::RtlMoveMemory(*i r3 r3,i r9,i 4) (PEHSTR_EXT)
 - AsGenIcon.pdb (PEHSTR_EXT)
 - pidgin.exe (PEHSTR_EXT)
 - readme.txt (PEHSTR_EXT)
 - Predeceived.dll (PEHSTR_EXT)
 - Windows\CurrentVersion\Uninstall\Spontanisternes54\Konsistensernes\Sanktionsfaststtelser (PEHSTR_EXT)
 - Software\Driftsbygningen\Polycitral (PEHSTR_EXT)
 - Software\Garantibetalingernes\Hygienise (PEHSTR_EXT)
 - Simple.png (PEHSTR_EXT)
 - SimpleColor.dll (PEHSTR_EXT)
 - CreateFileMappingW(i r2, i 0, i 0x40, i 0, i 0, i 0)i.r3 (PEHSTR_EXT)
 - Classic.png (PEHSTR_EXT)
 - Decolorising6.dat (PEHSTR_EXT)
 - English.tips (PEHSTR_EXT)
 - MDT2DFX.DLL (PEHSTR_EXT)
 - (i 0,i 0x100000, i 0x3000, i 0x40)p.r3 (PEHSTR_EXT)
 - CommonFilesDir (PEHSTR_EXT)
 - C:\Program Files (PEHSTR_EXT)
 - COPYING.txt (PEHSTR_EXT)
 - wininit.ini (PEHSTR_EXT)
 - unknowndll.pdb (PEHSTR_EXT)
 - unhailed\Bygrnsernes.lnk (PEHSTR_EXT)
 - Boilermaker129.sag (PEHSTR_EXT)
 - brdfrugttrers\reggio.ini (PEHSTR_EXT)
 - blommestenenes\upflows.ini (PEHSTR_EXT)
 - nulpunktsgennemgange\claywares\Pagedom (PEHSTR_EXT)
 - blamability.dat (PEHSTR_EXT)
 - kernel32::SetComputerNameA(t 'artisternes') (PEHSTR_EXT)
 - Software\aflbsbrndenes\Orexis (PEHSTR_EXT)
 - DllUnregisterServer (PEHSTR_EXT)
 - Pruritus\Unhuskable\Opgrelser.Sty (PEHSTR_EXT)
 - Sangeres\Tredveaarsdages\Automatteorien.ini (PEHSTR_EXT)
 - Besvrliggrelserne\Pixiness.Inv (PEHSTR_EXT)
 - Alumin\Studieglds\Statsamternes\Nonegregiousness.ini (PEHSTR_EXT)
 - Nringsmaterialernes229.ini (PEHSTR_EXT)
 - Skibsvrftets\Featherfoil.ini (PEHSTR_EXT)
 - Harmoniserings\Compassment3.lnk (PEHSTR_EXT)
 - Panthea\Binoculars\afslutningens\Handelshindringerne.Unf141 (PEHSTR_EXT)
 - Unmullioned\Uanmeldte\Nordamerikansk\Knogleledets.ini (PEHSTR_EXT)
 - rkkehusets\Nyttet\Galoping.Kno (PEHSTR_EXT)
 - Blreroden\Kernereaktorens.dll (PEHSTR_EXT)
 - Pureen\Netti\Pyloralgia.dll (PEHSTR_EXT)
 - isbjergets\brandinspektrerne\regnens (PEHSTR_EXT)
 - Laurbrkransene.pri (PEHSTR_EXT)
 - Svelningers.ini (PEHSTR_EXT)
 - opfrelses\tippelad\generalinders (PEHSTR_EXT)
 - germayne.txt (PEHSTR_EXT)
 - \Knoxvillite\Loosened\Afgaaet\Trkkerens (PEHSTR_EXT)
 - \Recostumed\Nikkelheftedes (PEHSTR_EXT)
 - Slippes2.lnk (PEHSTR_EXT)
 - Lnkontos.Dew (PEHSTR_EXT)
 - thirdness\Transphysical\burhne.dll (PEHSTR_EXT)
 - Uninstall\Cerviciplex (PEHSTR_EXT)
 - Weathergleam\Tidsskriftsbiblioteket.STY (PEHSTR_EXT)
 - Agedly\BALISTRARIA\Nudelsuppe.ini (PEHSTR_EXT)
 - Detektivarbejders\Preaggravate\Feoffee.und (PEHSTR_EXT)
 - Exship59\optrnende.dll (PEHSTR_EXT)
 - Baandskifternes\protohistorian\Knuses187 (PEHSTR_EXT)
 - socialbegivenheden\hallucinationers.dll (PEHSTR_EXT)
 - physophore\straedet.ini (PEHSTR_EXT)
 - Gulvhjderne149\helsilkes.ini (PEHSTR_EXT)
 - Finanslovforslagets\Erholdelige (PEHSTR_EXT)
 - Skibsprovianteringshandlerens\Klapstol\Svenskekonger\Aasmund.ini (PEHSTR_EXT)
 - Plovers\Berigninger.Iar (PEHSTR_EXT)
 - Diskjockey\Clavariaceae\Spruciest\Investeringspolitikken.Eat (PEHSTR_EXT)
 - Flugtsikreste\Skabiosernes\knystet\Sfrers.Har (PEHSTR_EXT)
 - Stater Bros. Holdings Inc. (PEHSTR_EXT)
 - Viacom Inc (PEHSTR_EXT)
 - kundebrevet.exe (PEHSTR_EXT)
 - Dreyer's Grand Ice Cream, Inc. (PEHSTR_EXT)
 - Lennox International Inc. (PEHSTR_EXT)
 - Kellogg Company (PEHSTR_EXT)
 - Barnes & Noble, Inc. (PEHSTR_EXT)
 - invigilate havearkitekter.exe (PEHSTR_EXT)
 - Montricerne.Ben (PEHSTR_EXT)
 - Software\Procentuelles232\Frafaldsprocents\Forarbejdendes\Inceration (PEHSTR_EXT)
 - Kommunikationsfirmaet\Gldstningers.ini (PEHSTR_EXT)
 - Intercalm\Kommunikationsteknisk\Shauling\Stddmpers.Non (PEHSTR_EXT)
 - Vederheftigheden\Medeas\Malignment\Cullionry (PEHSTR_EXT)
 - ejdendes\Inceration (PEHSTR_EXT)
 - \unproselyte\besparelses (PEHSTR_EXT)
 - 6\Prefigure.emu (PEHSTR_EXT)
 - \stemmespildskampagnes.una (PEHSTR_EXT)
 - mellemteksten.exe (PEHSTR_EXT)
 - FileOperator.exe (PEHSTR_EXT)
 - ODControl.dll (PEHSTR_EXT)
 - OpenSSL-License.txt (PEHSTR_EXT)
 - SetupAURACreator.exe (PEHSTR_EXT)
 - ationalitetsmrket\isonomic\Subtersuperlative\Vehftets\skybanken.emp (PEHSTR_EXT)
 - skybanken.emp (PEHSTR_EXT)
 - screamed rumbaing sootish (PEHSTR_EXT)
 - klassifikationen.Sur (PEHSTR_EXT)
 - mediative\prioriteterne\smuglings (PEHSTR_EXT)
 - beklages.lnk (PEHSTR_EXT)
 - Besaetter\Propagandism.Ens (PEHSTR_EXT)
 - bassetternes.for (PEHSTR_EXT)
 - upstay.fac (PEHSTR_EXT)
 - septenarii\pelsbereder\sammenfatningen (PEHSTR_EXT)
 - suderne.fas (PEHSTR_EXT)
 - stratificerendes.hen (PEHSTR_EXT)
 - Partaker195.est (PEHSTR_EXT)
 - merinould.mon (PEHSTR_EXT)
 - fraadserierne.rip (PEHSTR_EXT)
 - skatkammer.opt (PEHSTR_EXT)
 - underskriftindsmlinger.man (PEHSTR_EXT)
 - Nonsuccour.whi (PEHSTR_EXT)
 - Elokvent.hal (PEHSTR_EXT)
 - Forgring.sam (PEHSTR_EXT)
 - krebanens\Antianaphylactogen18 (PEHSTR_EXT)
 - -\almacen\forskansning\attributvrditildelings (PEHSTR_EXT)
 - %fringer%\metoderne\symphonist (PEHSTR_EXT)
 - 99\galtrap\fraskrevne.ini (PEHSTR_EXT)
 - noncertainty\sandarter (PEHSTR_EXT)
 - Minigrants152.txt (PEHSTR_EXT)
 - subconsulship begramsedes.exe (PEHSTR_EXT)
 - amygdale\Uinitialiseret\restriktivitetens (PEHSTR_EXT)
 - #\Selvhjtidelig\calodemonial.ini (PEHSTR_EXT)
 - \megaara.Cer (PEHSTR_EXT)
 - Software\Shrilling221\melanemia (PEHSTR_EXT)
 - 99\Dkvingernes88\malaga (PEHSTR_EXT)
 - #\afsindigstes\physitheism\altingsmedlemmet (PEHSTR_EXT)
 - indefensibly\antiatomkampagnen (PEHSTR_EXT)
 - Levnedsmiddelet.hyd (PEHSTR_EXT)
 - vejningers.jpg (PEHSTR_EXT)
 - Software\replaster\uninterpleaded (PEHSTR_EXT)
 - Recants\kirsebrsten\rhesuspositiv (PEHSTR_EXT)
 - 99\multiplicere\mortify.Pun (PEHSTR_EXT)
 - $$\Grecianize\turritellidae.ini (PEHSTR_EXT)
 - %Undergrundsbane%\Akkusativobjekterne.Tan (PEHSTR_EXT)
 - mechanicalizations.bla (PEHSTR_EXT)
 - regalers.jpg (PEHSTR_EXT)
 - \Lividities\indlaegger\noncapillaries (PEHSTR_EXT)
 - 88\Disrespective\mouseweb.sup (PEHSTR_EXT)
 - 7\caryophyllene.bac (PEHSTR_EXT)
 - %Farcicality115%\venus (PEHSTR_EXT)
 - \bearnaisens\lejen.mac (PEHSTR_EXT)
 - kolonialt billedtppet.exe (PEHSTR_EXT)
 - 5\bedvelsens\Reaccelerates.ske (PEHSTR_EXT)
 - loddebolt\Newsdealers (PEHSTR_EXT)
 - %biosynthesize%\multipartite\sigvard (PEHSTR_EXT)
 - \retskrivningsreglens\domestikvrelses.ini (PEHSTR_EXT)
 - vulgarizer.exe (PEHSTR_EXT)
 - \ashipboard\kellen\knos (PEHSTR_EXT)
 - \Ordbogs\adjudantsnorenes.Ext241 (PEHSTR_EXT)
 - \Mellemmndenes224.ini (PEHSTR_EXT)
 - %vejlednings%\artillerymen\woodhung.pra (PEHSTR_EXT)
 - \gennemtrawles\gastroskopierne.dll (PEHSTR_EXT)
 - \hydranths\Dynamistic.pre (PEHSTR_EXT)
 - \fejltastning\femdobler\quasiparticle (PEHSTR_EXT)
 - 99\inhabilitetssprgsmaalet.tic (PEHSTR_EXT)
 - rekompenseres.jpg (PEHSTR_EXT)
 - unconformity nonimputatively.exe (PEHSTR_EXT)
 - toggler triumvirates.exe (PEHSTR_EXT)
 - charpiet\Summertide245\Anskueligt (PEHSTR_EXT)
 - motatory\Gudmdrene\krematorier (PEHSTR_EXT)
 - %Ineffektiviteterne40%\bejape\Lullet210 (PEHSTR_EXT)
 - %Trabucos%\protestations\unfiendlike (PEHSTR_EXT)
 - \funke\Befolkningsttheders75.kal (PEHSTR_EXT)
 - \Sugeskive140.smu (PEHSTR_EXT)
 - genfremstilles dmringer.exe (PEHSTR_EXT)
 - unstraightened\unpredicable\konstance (PEHSTR_EXT)
 - \dynelfterne\fremmedpolitis.Afk (PEHSTR_EXT)
 - %kajpladserne%\cordies\participerendes.Ann (PEHSTR_EXT)
 - 5\Snespurve.Mys (PEHSTR_EXT)
 - \breathalyze\adults.loc (PEHSTR_EXT)
 - #\Disallowance232\*.vej (PEHSTR_EXT)
 - busseronne.ini (PEHSTR_EXT)
 - vakuumers\sundhedsplejerskers\Skyggerne (PEHSTR_EXT)
 - Ansttelsesplaners\Metalloid205\Septics (PEHSTR_EXT)
 - %unreckingness%\Squelchy\kngtet (PEHSTR_EXT)
 - squilgees.exe (PEHSTR_EXT)
 - \conclusiveness\aflirende\kavaic (PEHSTR_EXT)
 - \didactive\eneprokura.ini (PEHSTR_EXT)
 - kompaktheden\Indfoerelsen126 (PEHSTR_EXT)
 - \majolicas\protonemata\operationsvrelser (PEHSTR_EXT)
 - televaerket\sladdertasker.sti (PEHSTR_EXT)
 - ilfre\indskuds\ (PEHSTR_EXT)
 - antibiotikaforbruget.exe (PEHSTR_EXT)
 - \Faginspektrerne\affugt\dunter (PEHSTR_EXT)
 - \constancy.ans (PEHSTR_EXT)
 - Lbrikkernes46.ini (PEHSTR_EXT)
 - kammerjunkerne.exe (PEHSTR_EXT)
 - flighting redescribes nasioinial (PEHSTR_EXT)
 - dovetailwise.exe (PEHSTR_EXT)
 - \Skolings\Logikkerne101\chirologies (PEHSTR_EXT)
 - synaxar\nonvirtuousness\resaca (PEHSTR_EXT)
 - 5\tilbagedateringernes\Forrevnes229.aff (PEHSTR_EXT)
 - \undertide\bessermachen.ini (PEHSTR_EXT)
 - Flagellants.txt (PEHSTR_EXT)
 - filsti laggards.exe (PEHSTR_EXT)
 - \startparametrets\Anablepses124\Spisebler (PEHSTR_EXT)
 - 99\perturbingly\metaplasis.for (PEHSTR_EXT)
 - \typhemia.atm (PEHSTR_EXT)
 - tvangsfuldbyrder.exe (PEHSTR_EXT)
 - #\Kalkvrksarbejderen84\chego\reverensens (PEHSTR_EXT)
 - supernovas\mesalliancers\Seksaaringen (PEHSTR_EXT)
 - \betrngtes\hockshin.Toe (PEHSTR_EXT)
 - nadvergst.exe (PEHSTR_EXT)
 - infeasibilities aquaduct.exe (PEHSTR_EXT)
 - surmlk screams cisset (PEHSTR_EXT)
 - \Unbeing55\kroer\tingid (PEHSTR_EXT)
 - Bosteder5.soc (PEHSTR_EXT)
 - Filstruktur.txt (PEHSTR_EXT)
 - copaline.unc (PEHSTR_EXT)
 - destemper.txt (PEHSTR_EXT)
 - ferske.kap (PEHSTR_EXT)
 - undergivelsens.ini (PEHSTR_EXT)
 - \proctoclysis\rosetan.fis (PEHSTR_EXT)
 - highcourt.exe (PEHSTR_EXT)
 - sandfanget\ophavsretsindehavers\marmorflisens (PEHSTR_EXT)
 - \supervacaneous\forestillingsverdner.col (PEHSTR_EXT)
 - 5\episodernes\Multiscreen.fra (PEHSTR_EXT)
 - %unoratorial%\universitetsforlag (PEHSTR_EXT)
 - #\imprgneringer\Botilla\hjlpefilens (PEHSTR_EXT)
 - grundlovstalens redhandedness.exe (PEHSTR_EXT)
 - Milieubeskyttelsessektorer\Acetylene (PEHSTR_EXT)
 - ts\ekstrafortjenestes.Rke (PEHSTR_EXT)
 - %sitre%\sidsers.Adr (PEHSTR_EXT)
 - vocoded differentieringer.exe (PEHSTR_EXT)
 - \bibliografers.tol (PEHSTR_EXT)
 - \Flimp137 (PEHSTR_EXT)
 - levnets\semireflexively (PEHSTR_EXT)
 - \Desertioner\uskikken.gif (PEHSTR_EXT)
 - \aandsevner\natricinae.ini (PEHSTR_EXT)
 - macrosymbiont.exe (PEHSTR_EXT)
 - byretsdommeres.exe (PEHSTR_EXT)
 - kirkegange\baltheus\digression (PEHSTR_EXT)
 - Precosmically\multihead (PEHSTR_EXT)
 - %seacross%\solcreme (PEHSTR_EXT)
 - \nooky\Concolour.ini (PEHSTR_EXT)
 - \spermatia (PEHSTR_EXT)
 - yor sebum discreet (PEHSTR_EXT)
 - usikkerhedsmomentets dekodningers.exe (PEHSTR_EXT)
 - \Sybaritism\Underprikkede (PEHSTR_EXT)
 - Skemalisterne.ini (PEHSTR_EXT)
 - \kontortelefon\octaval.jpg (PEHSTR_EXT)
 - Forceps\restigmatises\Torrence (PEHSTR_EXT)
 - \Delegerets144\dampningerne.kil (PEHSTR_EXT)
 - \enterorrhea\outtake.upf (PEHSTR_EXT)
 - %typebetegnelsers%\chlorinator\fogedretterne (PEHSTR_EXT)
 - kunstgdningers orkestergraven.exe (PEHSTR_EXT)
 - Atrierne\Uninstall\Cashewnddernes29\unsummarisable (PEHSTR_EXT)
 - \amphithalamus\indkaldelsesdagene.dll (PEHSTR_EXT)
 - \calendarial\wabblingly.Uno (PEHSTR_EXT)
 - %transportmidlets%\beskuelses.mar (PEHSTR_EXT)
 - licans voldelighederne.exe (PEHSTR_EXT)
 - Knight-Ridder Inc. (PEHSTR_EXT)
 - Medtronic Inc. (PEHSTR_EXT)
 - Comfort Systems USA Inc. (PEHSTR_EXT)
 - unreworded demimondn.exe (PEHSTR_EXT)
 - yarmelke gaunt.exe (PEHSTR_EXT)
 - \exulding\genrebestemmelses (PEHSTR_EXT)
 - Bifloderne90.ini (PEHSTR_EXT)
 - thelmas.exe (PEHSTR_EXT)
 - Burlington Resources Inc. (PEHSTR_EXT)
 - Landstar System Inc. (PEHSTR_EXT)
 - fiendliness horrorful.exe (PEHSTR_EXT)
 - \repetrpr\tabloidavis\portsmouth (PEHSTR_EXT)
 - -\betagelsers\stifinderens.jpg (PEHSTR_EXT)
 - %blgede%\hummeres\unsad (PEHSTR_EXT)
 - 7\fylke\scaphocerite.txt (PEHSTR_EXT)
 - fum espavel.exe (PEHSTR_EXT)
 - \Activate\Cannibalization\Distractible (PEHSTR_EXT)
 - konebytningens\purismen\pygmaean (PEHSTR_EXT)
 - %Azoturia%\lumina (PEHSTR_EXT)
 - animhdr vicevrtens.exe (PEHSTR_EXT)
 - Siliciumets\trykketeknikkerne\livsforsikringens (PEHSTR_EXT)
 - %Pseudoanatomic%\Krocket22 (PEHSTR_EXT)
 - 5\Snorkel.Eve (PEHSTR_EXT)
 - semicollegiate.exe (PEHSTR_EXT)
 - dolcan.exe (PEHSTR_EXT)
 - Regions Financial Corp. (PEHSTR_EXT)
 - amalgameret.exe (PEHSTR_EXT)
 - guiltiest.exe (PEHSTR_EXT)
 - tvangsrutens inversions.exe (PEHSTR_EXT)
 - \planular\undervisningsomraadets (PEHSTR_EXT)
 - \Fermenteret156\occlusocervical (PEHSTR_EXT)
 - honoreredes.aut (PEHSTR_EXT)
 - \Cathy\*.bin (PEHSTR_EXT)
 - %muggery%\Oxygens\Fletfilen (PEHSTR_EXT)
 - \enevrelser.ini (PEHSTR_EXT)
 - Allied Waste Industries, Inc. (PEHSTR_EXT)
 - formblingen statuses.exe (PEHSTR_EXT)
 - #\briskly\townhouses\Informationsbehandling80 (PEHSTR_EXT)
 - $$\unfrigidness\prsentation.une (PEHSTR_EXT)
 - 88\Bluejelly78\infinituple.tet (PEHSTR_EXT)
 - sovseskeernes\uncompliability\kriteriernes (PEHSTR_EXT)
 - %Unprisonable%\Onomastical\Diskurser.unt (PEHSTR_EXT)
 - Coca-Cola Enterprises Inc. (PEHSTR_EXT)
 - Outback Steakhouse Inc. (PEHSTR_EXT)
 - Maxim Integrated Products Inc. (PEHSTR_EXT)
 - diminishment.exe (PEHSTR_EXT)
 - angionoma.exe (PEHSTR_EXT)
 - Parker Hannifin Corp. (PEHSTR_EXT)
 - BMC Software Inc. (PEHSTR_EXT)
 - Federal Mogul Corp. (PEHSTR_EXT)
 - La-Z-Boy Inc. (PEHSTR_EXT)
 - markren gedekiddene.exe (PEHSTR_EXT)
 - stiltifying registertekstens.exe (PEHSTR_EXT)
 - \Raspberry33\Programudviklings (PEHSTR_EXT)
 - %bibeholdtes%\beluredes (PEHSTR_EXT)
 - konometriske\Stilsikre221\tudkoppernes (PEHSTR_EXT)
 - \aadselgravernes\forlberens.jpg (PEHSTR_EXT)
 - Unvenerated.obo (PEHSTR_EXT)
 - gymnotoka.rea (PEHSTR_EXT)
 - Polyphyletic\Wages93 (PEHSTR_EXT)
 - knsrolledebatterne jockeyism (PEHSTR_EXT)
 - malmsey minimumskravet.exe (PEHSTR_EXT)
 - \forsmmelses\galehus (PEHSTR_EXT)
 - \westling\skindhuerne.ini (PEHSTR_EXT)
 - \trykkogeres.gif (PEHSTR_EXT)
 - \Endestationers\Selvbefrugtningernes.ini (PEHSTR_EXT)
 - \Kraftudfoldelser\Corrigibleness.lnk (PEHSTR_EXT)
 - Creephole\Fodpleje\cheminova (PEHSTR_EXT)
 - blindet\Admiralers175 (PEHSTR_EXT)
 - \Magteslsest\outgate.txt (PEHSTR_EXT)
 - %%\nonforfeiture\unslacking.ini (PEHSTR_EXT)
 - %elevskolerne%\unlocalizables\yvette (PEHSTR_EXT)
 - -\groteskes\Pletten113\fldeskummen (PEHSTR_EXT)
 - %shufflingly%\reporterede\Nonnatives (PEHSTR_EXT)
 - \mayorships\Epidemiologiens.ini (PEHSTR_EXT)
 - kulbrinterne aabnemuskels.exe (PEHSTR_EXT)
 - gadekasernens\nonnegligent\supergallantness (PEHSTR_EXT)
 - %stickiest%\christener\udsteningen (PEHSTR_EXT)
 - \sparable.bin (PEHSTR_EXT)
 - hyperbatbata twelvemo (PEHSTR_EXT)
 - hypotheses carbodynamite.exe (PEHSTR_EXT)
 - %reunionism%\billarderne\transpositively (PEHSTR_EXT)
 - converging antenneforeningerne.exe (PEHSTR_EXT)
 - furcula.exe (PEHSTR_EXT)
 - Software\jezail\spurveungernes (PEHSTR_EXT)
 - \plankevrket\petunia (PEHSTR_EXT)
 - anvendelsesformaalenes closeout.exe (PEHSTR_EXT)
 - ferierejsende scruple (PEHSTR_EXT)
 - proffesionelle.exe (PEHSTR_EXT)
 - \Witnessers153\raabte\amuletters (PEHSTR_EXT)
 - commingler dialyses (PEHSTR_EXT)
 - apprizal.exe (PEHSTR_EXT)
 - \arizonians\tollo (PEHSTR_EXT)
 - \pladsholderes\cithrens\monometalism (PEHSTR_EXT)
 - %Testkrslernes%\tehtten (PEHSTR_EXT)
 - menualternativernes.exe (PEHSTR_EXT)
 - \antoni\Kiaugh90\spiralfjedrene (PEHSTR_EXT)
 - sobe aarsbudgettet.exe (PEHSTR_EXT)
 - Servietter\forfends\ecclesiae (PEHSTR_EXT)
 - Tatariskes\gerningers\ (PEHSTR_EXT)
 - Kondicyklens.ini (PEHSTR_EXT)
 - %afviklingstids%\fjerde\driftsomkostnings (PEHSTR_EXT)
 - \rasher\tilfredsstillelsen.jpg (PEHSTR_EXT)
 - %tilst%\skolingsgrupper (PEHSTR_EXT)
 - suppressants\Pythonical\skattepolitiks (PEHSTR_EXT)
 - #\strafudmaalingen\reverent (PEHSTR_EXT)
 - %%\vildttllinger.ini (PEHSTR_EXT)
 - vederheftighederne.exe (PEHSTR_EXT)
 - %isometri%\styrtdykkeren (PEHSTR_EXT)
 - 5\haandarbejdernes\epoxyed.htm (PEHSTR_EXT)
 - infold daekker.exe (PEHSTR_EXT)
 - \fejelistens\ingrossing (PEHSTR_EXT)
 - %manyatta%\displeasurement\Underclutch193 (PEHSTR_EXT)
 - \sandwichmnd\jennets.ini (PEHSTR_EXT)
 - broderparrene.exe (PEHSTR_EXT)
 - \Kobberstikket169\helicograph (PEHSTR_EXT)
 - %mulishness%\Nonleaking.bin (PEHSTR_EXT)
 - dedicerendes sintoism.exe (PEHSTR_EXT)
 - posologic rit.exe (PEHSTR_EXT)
 - \countercriticisms\erector\heltedigtene (PEHSTR_EXT)
 - kommunikationslinier.spr (PEHSTR_EXT)
 - gruffish.exe (PEHSTR_EXT)
 - rhinskes\Terrorregimenternes (PEHSTR_EXT)
 - boretaarnets\myosers (PEHSTR_EXT)
 - %mareridt%\atestine.bin (PEHSTR_EXT)
 - unhospital hydrologisk.exe (PEHSTR_EXT)
 - \sovjetten\privateness (PEHSTR_EXT)
 - %afbildninger%\hovedtj\salably.jpg (PEHSTR_EXT)
 - rhymemaking piltastens.exe (PEHSTR_EXT)
 - floristic opver.exe (PEHSTR_EXT)
 - \unniggard\aggraveringens\abettor (PEHSTR_EXT)
 - magikernes.exe (PEHSTR_EXT)
 - \Landeplager52.Tek (PEHSTR_EXT)
 - Trones.jpg (PEHSTR_EXT)
 - extenso.ini (PEHSTR_EXT)
 - priacanthidae.jpg (PEHSTR_EXT)
 - \Vandlidende.Rug (PEHSTR_EXT)
 - amfibietankenes.exe (PEHSTR_EXT)
 - %antimonopoly%\muscavado\Bustrafik (PEHSTR_EXT)
 - misadjust konfigurationsprogram.exe (PEHSTR_EXT)
 - presubmitting klaustrofobi.exe (PEHSTR_EXT)
 - prcedensens\Barselsorlovernes\retshjlpens (PEHSTR_EXT)
 - %Pointers%\Prevalidly246\Sammenklumpet (PEHSTR_EXT)
 - masturbation lserinderne (PEHSTR_EXT)
 - thakurate.exe (PEHSTR_EXT)
 - disaugment thrummed.exe (PEHSTR_EXT)
 - \contaminations\drillesygeste (PEHSTR_EXT)
 - %rennases%\indocibleness\finansministrenes (PEHSTR_EXT)
 - %sidy%\mygges\Vidneafhringers (PEHSTR_EXT)
 - asellate\Mummery119.exe (PEHSTR_EXT)
 - \bolsjers\Indlsendes.ini (PEHSTR_EXT)
 - \narrene\Karteuser125.dll (PEHSTR_EXT)
 - \udryddet\Bengnaverne53\udturenes (PEHSTR_EXT)
 - skovkanter\bryan\variocuopler (PEHSTR_EXT)
 - %Beadings%\Abdomen\Smirching (PEHSTR_EXT)
 - \interrupter\fotogrammetri.jpg (PEHSTR_EXT)
 - \gorvarehandelen\kendemrkers.htm (PEHSTR_EXT)
 - lighedspunkterne.exe (PEHSTR_EXT)
 - \kringlernes\lumberjacks (PEHSTR_EXT)
 - ismejeri\cordylanthus\suppose (PEHSTR_EXT)
 - %tabers%\afmonterer\dillerdaller (PEHSTR_EXT)
 - \Sprogbrugerne\enerne.txt (PEHSTR_EXT)
 - demokratiernes\horograph\stuporific (PEHSTR_EXT)
 - %thurst%\indsmrer\waldgravine (PEHSTR_EXT)
 - alchemister.exe (PEHSTR_EXT)
 - liggeplads valentino.exe (PEHSTR_EXT)
 - tilstandsform.wal (PEHSTR_EXT)
 - sekularismens.tre (PEHSTR_EXT)
 - immigrationen.jol (PEHSTR_EXT)
 - cindersbanernes.fic (PEHSTR_EXT)
 - outtricking\Detentions\liniefring (PEHSTR_EXT)
 - ekskluderet emendations.exe (PEHSTR_EXT)
 - Sagndannelses.jay (PEHSTR_EXT)
 - Centripetalkraftens151.mul (PEHSTR_EXT)
 - Pulverizes.Kom57 (PEHSTR_EXT)
 - Chunari.Car (PEHSTR_EXT)
 - chiropraxis.kil (PEHSTR_EXT)
 - Itsy.kat (PEHSTR_EXT)
 - \Lasten162\Pulverizes.Kom57 (PEHSTR_EXT)
 - Carnify.jpg (PEHSTR_EXT)
 - Dumpingpriss227.ret (PEHSTR_EXT)
 - chadors.fis (PEHSTR_EXT)
 - ordknappeste.dom (PEHSTR_EXT)
 - recipiomotor.ini (PEHSTR_EXT)
 - \Dims49\kreplan.jpg (PEHSTR_EXT)
 - ryddeligeres.gid (PEHSTR_EXT)
 - \sceptry\decibels\prisklasser (PEHSTR_EXT)
 - \reserveofficerers.jpg (PEHSTR_EXT)
 - \kunstfrdigt.lnk (PEHSTR_EXT)
 - \Cotylophorous\Calvinisten.zip (PEHSTR_EXT)
 - \affutager\bougainvillaeas.ini (PEHSTR_EXT)
 - Prohumanistic1.sil (PEHSTR_EXT)
 - caravanist.mem (PEHSTR_EXT)
 - redaktren.fri (PEHSTR_EXT)
 - \Saddeltags183 (PEHSTR_EXT)
 - \Soveposer\brysthule.txt (PEHSTR_EXT)
 - \Grusgrave191\afgiftsordningernes.zip (PEHSTR_EXT)
 - Pyramidella.enj (PEHSTR_EXT)
 - Sentinelling.occ (PEHSTR_EXT)
 - betingede.pea (PEHSTR_EXT)
 - \Turbojetternes129\saneringsplaner.zip (PEHSTR_EXT)
 - \bemused\halicot (PEHSTR_EXT)
 - \zarinas\aareforfedtningens (PEHSTR_EXT)
 - \Chapelry76.bmp (PEHSTR_EXT)
 - Deklamatorens.tro (PEHSTR_EXT)
 - Suttekludene.rel (PEHSTR_EXT)
 - dumrians.taf (PEHSTR_EXT)
 - prepend.kon (PEHSTR_EXT)
 - \equiomnipotent\vangers.txt (PEHSTR_EXT)
 - ridiculise\tossehovedernes\ (PEHSTR_EXT)
 - \Balloteret.gif (PEHSTR_EXT)
 - \acquent.ini (PEHSTR_EXT)
 - \strandbredders.htm (PEHSTR_EXT)
 - \Visioner\postically.zip (PEHSTR_EXT)
 - \pretrernes\museums.jpg (PEHSTR_EXT)
 - ethylenically\temblors.txt (PEHSTR_EXT)
 - \Mea175.exe (PEHSTR_EXT)
 - \dialogbokse\nedslagtede.txt (PEHSTR_EXT)
 - \uarbejdsdygtiges\godsterminalernes.ini (PEHSTR_EXT)
 - Phenomenalize46.ini (PEHSTR_EXT)
 - \parodi\nonexceptionally.lnk (PEHSTR_EXT)
 - \Venskabsbyernes234\breaths.jpg (PEHSTR_EXT)
 - Godet65.gyt (PEHSTR_EXT)
 - gengldelsers.unf (PEHSTR_EXT)
 - overforsikre.med (PEHSTR_EXT)
 - summeriest.app (PEHSTR_EXT)
 - \surcharges.ini (PEHSTR_EXT)
 - \Snailery\Administrant.ini (PEHSTR_EXT)
 - \knledene.ini (PEHSTR_EXT)
 - \abolitionised\antiendowment.ini (PEHSTR_EXT)
 - \lumberman.ini (PEHSTR_EXT)
 - patchworky\Unbeveled (PEHSTR_EXT)
 - chingma\Uninstall\prerevised\Kadaver67 (PEHSTR_EXT)
 - \art\Pharynges.lnk (PEHSTR_EXT)
 - \plotting\glosserede.dll (PEHSTR_EXT)
 - givingly\Husstv\centrifugalsprederen (PEHSTR_EXT)
 - Beehive\flleshuses\Photopic (PEHSTR_EXT)
 - \inappetence\biplanerne\Kamuflerendes.gif (PEHSTR_EXT)
 - \Nedslaaedes174\statsgarantiens.ini (PEHSTR_EXT)
 - \usselheden\tagpappens.ini (PEHSTR_EXT)
 - \Reinjures\medsendtes (PEHSTR_EXT)
 - \tolvaarsfdselsdagen\festugen (PEHSTR_EXT)
 - \stemmejerns\katodestraalernes.htm (PEHSTR_EXT)
 - \Galactocele.ini (PEHSTR_EXT)
 - Remrkedes.sis (PEHSTR_EXT)
 - Brudfladen.Dra (PEHSTR_EXT)
 - Maleriudstillingerne98.jpg (PEHSTR_EXT)
 - \Ottavas\Kronerne (PEHSTR_EXT)
 - startbogstaver.bin (PEHSTR_EXT)
 - \Brugsklart\dataskrme.lnk (PEHSTR_EXT)
 - \almenhedens (PEHSTR_EXT)
 - \Flokatis58.ini (PEHSTR_EXT)
 - \Divertila (PEHSTR_EXT)
 - \bearer.ini (PEHSTR_EXT)
 - bonkammeraters.fli (PEHSTR_EXT)
 - overordentliges.gul (PEHSTR_EXT)
 - overprsidiets.tin (PEHSTR_EXT)
 - sirki.kue (PEHSTR_EXT)
 - \bagflikninger\mozarab.ini (PEHSTR_EXT)
 - Amalgamernes.txt (PEHSTR_EXT)
 - Endothermous.txt (PEHSTR_EXT)
 - Resultatfelternes.ini (PEHSTR_EXT)
 - Udenrigsredaktrerne.txt (PEHSTR_EXT)
 - femtoneskalaer.nat (PEHSTR_EXT)
 - gargol.jpg (PEHSTR_EXT)
 - incapacitation.man (PEHSTR_EXT)
 - tekrusenes.pro (PEHSTR_EXT)
 - venire.jpg (PEHSTR_EXT)
 - amariterkursus\decaesarize\Eksekverbar (PEHSTR_EXT)
 - Electropotential\Brombrrenes82\Proteles (PEHSTR_EXT)
 - .\Enakteres101.ini (PEHSTR_EXT)
 - #\dommervagts\hypogonadism.jpg (PEHSTR_EXT)
 - %unlavished%\vindue (PEHSTR_EXT)
 - \aigialosauridae\ded.bin (PEHSTR_EXT)
 - \Threskiornithidae\Upaaviseligheden.htm (PEHSTR_EXT)
 - 99\udbredte.gif (PEHSTR_EXT)
 - \Undertrykkelses\bacalao\Bipeltate183 (PEHSTR_EXT)
 - eeyuch\Lithotresis215\tankangrebets (PEHSTR_EXT)
 - 99\onlookers\qoheleth.ini (PEHSTR_EXT)
 - %relabeler%\Pibloktos\uldtrjer (PEHSTR_EXT)
 - -\Opfindsomste.exe (PEHSTR_EXT)
 - \Megapterine109.ini (PEHSTR_EXT)
 - \produktivitet\Galvanopsychic (PEHSTR_EXT)
 - \dowl.txt (PEHSTR_EXT)
 - Opacite.Hom (PEHSTR_EXT)
 - Ddt17.hom (PEHSTR_EXT)
 - arbejdsfunktion.ich (PEHSTR_EXT)
 - kaskades.gle (PEHSTR_EXT)
 - rewrite.whi (PEHSTR_EXT)
 - ubehagelighedernes\Levitate\stoppende (PEHSTR_EXT)
 - %bider%\schnauzers\udviklingshastighedens (PEHSTR_EXT)
 - %monoprogrammings%\erma\undogmatical (PEHSTR_EXT)
 - \Maaneformrkelse.ini (PEHSTR_EXT)
 - \spinderokkes\Gennempletterede.bin (PEHSTR_EXT)
 - \mineralizables\niggerfish\Erhvervslederne (PEHSTR_EXT)
 - \Synaloepha.jpg (PEHSTR_EXT)
 - \halma.ini (PEHSTR_EXT)
 - \bippene\spydspidsens.ini (PEHSTR_EXT)
 - sikkerhedskopierings.jpg (PEHSTR_EXT)
 - \hstmaskine\artificialness.ini (PEHSTR_EXT)
 - molekylrt\skospndets\troposfrens (PEHSTR_EXT)
 - \Frerskab\stningsstrukturens.dll (PEHSTR_EXT)
 - myrialitre\forsvenskendes\falsities (PEHSTR_EXT)
 - %komtessernes%\Overfaintly\mouthpiece (PEHSTR_EXT)
 - bigamists logomancy.exe (PEHSTR_EXT)
 - \gniderierne (PEHSTR_EXT)
 - \medicophysical.txt (PEHSTR_EXT)
 - \rotteflde\anlgsjemedene.exe (PEHSTR_EXT)
 - \philomathy.gif (PEHSTR_EXT)
 - \astmalgernes\jagtbdes.bin (PEHSTR_EXT)
 - \nordeuropiske.exe (PEHSTR_EXT)
 - \elitekorps.dll (PEHSTR_EXT)
 - \kaladana\stablendes.bin (PEHSTR_EXT)
 - Navigabel.jpg (PEHSTR_EXT)
 - bariatrics.ini (PEHSTR_EXT)
 - saloons.exe (PEHSTR_EXT)
 - \Somniloquy158\Dromedarerne39\skidesurt (PEHSTR_EXT)
 - %Tegnomraadet%\overtalelsesevne\uncourtesy (PEHSTR_EXT)
 - caliber.exe (PEHSTR_EXT)
 - Fringing\hovedkortene (PEHSTR_EXT)
 - %asian%\aularian (PEHSTR_EXT)
 - efterbrndere antifoniers.exe (PEHSTR_EXT)
 - elevcentreredes\ramified (PEHSTR_EXT)
 - %onagers%\opholdsstuers\ddslejernes (PEHSTR_EXT)
 - \kemikalies\jamnia.lnk (PEHSTR_EXT)
 - \tjrnekrattet\deheathenize.ini (PEHSTR_EXT)
 - Nonplatitudinously.ene (PEHSTR_EXT)
 - \Roesukkerets23\raught (PEHSTR_EXT)
 - Acetoxyphthalide124.txt (PEHSTR_EXT)
 - Artet45.cat (PEHSTR_EXT)
 - Forskningsprojekters102.jpg (PEHSTR_EXT)
 - Insuppressibility.ini (PEHSTR_EXT)
 - efterbehandlende.jpg (PEHSTR_EXT)
 - veltilfredheden.avl (PEHSTR_EXT)
 - \befallen\Prislags.ini (PEHSTR_EXT)
 - \vandforsyningernes\overobediently\cauboge (PEHSTR_EXT)
 - \nednormeringens\hayburner.ini (PEHSTR_EXT)
 - \bralrende\audings.htm (PEHSTR_EXT)
 - \fewness\hypotesens.dll (PEHSTR_EXT)
 - \Forbigangen162\grundvandsbeskyttelsens.jpg (PEHSTR_EXT)
 - \tndingsnglerne (PEHSTR_EXT)
 - \contignate.lnk (PEHSTR_EXT)
 - Preutilizing49.txt (PEHSTR_EXT)
 - \quippy.txt (PEHSTR_EXT)
 - \vestvggens.htm (PEHSTR_EXT)
 - \style.Nig (PEHSTR_EXT)
 - \threshel\trimellitic.ini (PEHSTR_EXT)
 - Valmuefrs.Ove (PEHSTR_EXT)
 - Afprik.txt (PEHSTR_EXT)
 - Centraliseret.jpg (PEHSTR_EXT)
 - Decarbonylating.ini (PEHSTR_EXT)
 - Tedesca.jpg (PEHSTR_EXT)
 - opbevaringskapaciteternes.txt (PEHSTR_EXT)
 - -\anderledestnkende\convival (PEHSTR_EXT)
 - honeyhearted\Earthslide78\susser (PEHSTR_EXT)
 - 88\Larrup\Accursedly.zip (PEHSTR_EXT)
 - DST Systems, Inc. (PEHSTR_EXT)
 - E.W. Scripps Company (PEHSTR_EXT)
 - rouleauers.exe (PEHSTR_EXT)
 - gradiometer\juloid\sodalithite (PEHSTR_EXT)
 - %harvendes%\lykkeflelsen (PEHSTR_EXT)
 - Bristol-Myers Squibb Company (PEHSTR_EXT)
 - urpremieres.exe (PEHSTR_EXT)
 - \protesen\kendingssignaler (PEHSTR_EXT)
 - \scientolism\oplsningernes.bin (PEHSTR_EXT)
 - %Ordvekslingens%\inadvertant\billardkuglerne (PEHSTR_EXT)
 - Fremtidsforskeren35.ini (PEHSTR_EXT)
 - Quanta Services Inc. (PEHSTR_EXT)
 - pachyglossous.exe (PEHSTR_EXT)
 - registreringsafgiftens xylidine.exe (PEHSTR_EXT)
 - \gehejmeraadernes\Inconscience62 (PEHSTR_EXT)
 - %Club%\Racisten239\ltningens (PEHSTR_EXT)
 - erotic annizettes.exe (PEHSTR_EXT)
 - arealberegningerne knleddet.exe (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

Known malware which is associated with this threat:

Filename: Warunki umowy-pdf.js

adebb117064422a62d383fd7c6c8f27028eba7106d872592ec4cfbafce03aa25

09/01/2026

→VirusTotal ↓Download Sample

Remediation Steps:

Isolate the affected host immediately. Perform a full system scan with updated antivirus software. Investigate for additional dropped malware, persistence mechanisms, and potential post-exploitation activity. If compromise is extensive, restore from a clean backup.

=== END REPORT ===

$ reanalyze-threat

This analysis was last updated on 09/01/2026. Do you want to analyze it again?

$ ls available-commands/

→ cd /home

user@threatcheck.sh:~$ ▊

Trojan:JS/GuLoader!rfn - Windows Defender Threat Analysis