user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Trojan:Win64/Disco!rfn
Trojan:Win64/Disco!rfn - Windows Defender threat signature analysis

Trojan:Win64/Disco!rfn - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Trojan:Win64/Disco!rfn
Classification:
Type:Trojan
Platform:Win64
Family:Disco
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!rfn
Specific ransomware family name
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Trojan - Appears legitimate but performs malicious actions for 64-bit Windows platform, family Disco

Summary:

Trojan:Win64/Disco!rfn is a critical Win64 Trojan that significantly compromises system integrity by modifying the hosts file to block antivirus updates (e.g., Avast, ESET) and manipulating dial-up connections, likely for premium rate fraud. It employs persistence mechanisms, network policy manipulation, and shows indicators of spreading via removable media.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - SkypeControlAPIDiscover (PEHSTR_EXT)
 - drivers\etc\hosts (PEHSTR_EXT)
 - \etc\ (PEHSTR_EXT)
 - %d.%d.%d.%d download%d.avast.com (PEHSTR_EXT)
 - %d.%d.%d.%d u%d.eset.com (PEHSTR_EXT)
 - Software\RMX\ (PEHSTR_EXT)
 - 7http://network.nocreditcard.com/DialHTML/OSB/final.php3 (PEHSTR)
 - 6http://network.nocreditcard.com/DialHTML/OSB/wait.php3 (PEHSTR)
 - RASPHONE.EXE (PEHSTR)
 - rnaui.dll,RnaDial (PEHSTR)
 - DHTMLAccess.DLL (PEHSTR)
 - Disconnecting... (PEHSTR)
 - Would you disconnect ? (PEHSTR)
 - @SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE (PEHSTR)
 - ShellExecuteA (PEHSTR)
 - PcClient.dll (PEHSTR_EXT)
 - pskey.dat (PEHSTR_EXT)
 - http://%s:%d/%d%s (PEHSTR_EXT)
 - "%s" /c del "%s" (PEHSTR_EXT)
 - \wuauclt.exe (PEHSTR_EXT)
 - Policies\Comdlg32 (PEHSTR_EXT)
 - Policies\Network (PEHSTR_EXT)
 - NoNetConnectDisconnect (PEHSTR_EXT)
 - :\autorun.inf (PEHSTR)
 - .com.br (PEHSTR)
 - .\Software\Microsoft\Windows\CurrentVersion\Run (PEHSTR)
 - R\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL (PEHSTR)
 - IdSMTP1Disconnected (PEHSTR)
 - DdeDisconnectList (PEHSTR_EXT)
 - "exe. (PEHSTR_EXT)
 - e:\JinZQ\ (PEHSTR_EXT)
 - stat.wamme.cn (PEHSTR_EXT)
 - C:\WINDOWS\system32\drivers\etc\service1.ini (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Policies\Network (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Policies\Explorer (PEHSTR_EXT)
 - %2\protocol\StdFileEditing\server (PEHSTR_EXT)
 - RunBatch (PEHSTR_EXT)
 - Disconnect (PEHSTR_EXT)
 - ExecFromUrl (PEHSTR_EXT)
 - "C:\Windows\iexplore.exe" (PEHSTR_EXT)
 - \Internal.exe (PEHSTR_EXT)
 - \VodCatch (PEHSTR_EXT)
 - QQ.lnk (PEHSTR_EXT)
 - SOFTWARE\Borland\Delphi\RTLd (PEHSTR)
 - \\.\yspy000 (PEHSTR)
 - *SYSTEM\CurrentControlSet\Control\SafeBoot\d (PEHSTR)
 - SetSecurityDescriptorDacld (PEHSTR)
 - DisconnectNamedPiped (PEHSTR)
 - Comspec (PEHSTR)
 - /c del " (PEHSTR)
 - svchost.exe (PEHSTR)
 - r_server.exe (PEHSTR)
 - *SYSTEM\CurrentControlSet\Services\r_server (PEHSTR)
 - /pass: (PEHSTR)
 - /port: (PEHSTR)
 - SOFTWARE\Borland\Delphi\RTLd (PEHSTR_EXT)
 - \\.\mailslot\ (PEHSTR_EXT)
 - loplop.ini (PEHSTR_EXT)
 - lop_b.sys (PEHSTR_EXT)
 - \\.\HxDefDriver (PEHSTR_EXT)
 - \\.\mailslot\hxdef-rk100s (PEHSTR_EXT)
 - \\.\mailslot\hxdef-rk100s0ACEE761 (PEHSTR_EXT)
 - Prefetch\*.pf (PEHSTR_EXT)
 - StopOnDisconnection (PEHSTR_EXT)
 - IETask.dll (PEHSTR_EXT)
 - #VERSION-LC-2.0.0.7 (PEHSTR_EXT)
 - #VERSION-PW-2.0.0.0 (PEHSTR_EXT)
 - \ZRAT\QRAT (PEHSTR_EXT)
 - \QRAT_Client\PluginInterface\ (PEHSTR_EXT)
 - \ClientPluginInterface.pdb (PEHSTR_EXT)
 - DoClientDisconnect (PEHSTR_EXT)
 - select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%"; (PEHSTR_EXT)
 - kSOFTWARE\Mozilla\Mozilla Firefox (PEHSTR_EXT)
 - Disconnected (PEHSTR_EXT)
 - red_autumnal_leaves_dllmain.dll (PEHSTR_EXT)
 - .?AVMD5_CTX@@ (PEHSTR_EXT)
 - .?AVhttp@ctx@@ (PEHSTR_EXT)
 - .?AVCmdRedirector@@ (PEHSTR_EXT)
 - .?AVIComm@@ (PEHSTR_EXT)
 - .?AVHttpComm@@ (PEHSTR_EXT)
 - .?AVPortMappingSlave@@ (PEHSTR_EXT)
 - .?AVTcpComm@@ (PEHSTR_EXT)
 - Disconnecting from %s (PEHSTR_EXT)
 - )LLGC_LOG ===> Remote Session Disconnected (PEHSTR)
 - viewexd.dll (PEHSTR_EXT)
 - DllRegisterServer (PEHSTR_EXT)
 - CLSID\%1\InProcServer32 (PEHSTR_EXT)
 - CRYPT32.DLL (PEHSTR_EXT)
 - socksbot.dll (PEHSTR_EXT)
 - Disconnecting (PEHSTR_EXT)
 - Discord Tokken (PEHSTR_EXT)
 - Screenshot.jpeg (PEHSTR_EXT)
 - \Log.txt (PEHSTR_EXT)
 - AppData\Roaming\Thunderbird\Profiles (PEHSTR_EXT)
 - Discord-Token-Grabber-master (PEHSTR_EXT)
 -  DiscordTokenGrabber (PEHSTR_EXT)
 - DiscordTokenGrabber.exe (PEHSTR_EXT)
 - /C choice /C Y /N /D Y /T 3 & Del " (PEHSTR_EXT)
 - /Windows/Discord (PEHSTR_EXT)
 - \BitcoinCore\wallet.dat (PEHSTR_EXT)
 - \discord\Local Storage\https_discordapp.com (PEHSTR_EXT)
 - &discord= (PEHSTR_EXT)
 - \Browsers\Passwords.txt (PEHSTR_EXT)
 - C:\ProgramData\debug.txt (PEHSTR_EXT)
 - Roaming\Discord (PEHSTR_EXT)
 - [\w-]{24}\.[\w-]{6}\.[\w-]{27} (PEHSTR_EXT)
 - mfa\.[\w-]{84} (PEHSTR_EXT)
 - Local\Google\Chrome\User Data\Default (PEHSTR_EXT)
 - Roaming\Opera Software\Opera Stable (PEHSTR_EXT)
 - Local\BraveSoftware\Brave-Browser\User Data\Default (PEHSTR_EXT)
 - \AppData\ (PEHSTR_EXT)
 - \Local Storage\leveldb (PEHSTR_EXT)
 - DiscordTokenGrabber (PEHSTR_EXT)
 - smtp.gmail.com (PEHSTR_EXT)
 - DiscordTokeen by (PEHSTR_EXT)
 - \discord\Local Storage\leveldb\ (PEHSTR_EXT)
 - DiscordTokeen by NYAN CAT (PEHSTR_EXT)
 - https://discordapp.com/api/webhooks/ (PEHSTR_EXT)
 - "([A-Za-z0-9_\./\\-]){59}" (PEHSTR_EXT)
 - ComputerGraphics.dll (PEHSTR_EXT)
 - System.ComponentModel (PEHSTR_EXT)
 - 24032.3018.0.1 (PEHSTR_EXT)
 - CompressionMode (PEHSTR_EXT)
 - Discord_Shutdown (PEHSTR_EXT)
 - ByMynix.xyz (PEHSTR_EXT)
 - Discord_UpdatePresence (PEHSTR_EXT)
 - BEAUREGARD\Pictures\ (PEHSTR_EXT)
 - \WorkerThreads\ (PEHSTR_EXT)
 - \WorkerThreads.pdb (PEHSTR_EXT)
 - RedLine.Client (PEHSTR_EXT)
 - Screenshot (PEHSTR_EXT)
 - RedLine. (PEHSTR_EXT)
 - RedLine.Reburn (PEHSTR_EXT)
 - CaptureScreen (PEHSTR_EXT)
 - Discord (PEHSTR_EXT)
 - api.ip.sb/geoip (PEHSTR_EXT)
 - bot.whatismyipaddress.com (PEHSTR_EXT)
 - api.ipify.org (PEHSTR_EXT)
 - //ipinfo.io/ip%appdata% (PEHSTR_EXT)
 - api.ip.sb/ip (PEHSTR_EXT)
 - [^\u0020-\u007F]UNKNOWN (PEHSTR_EXT)
 - ID: egram.exe (PEHSTR_EXT)
 - ID: isSecureegram.exe (PEHSTR_EXT)
 - .Client.Models.Gecko (PEHSTR_EXT)
 - .vdfcard (PEHSTR_EXT)
 - *.vdf (PEHSTR_EXT)
 - icanhazip.com (PEHSTR_EXT)
 - \Electrum (PEHSTR_EXT)
 - \Exodus (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 (PEHSTR_EXT)
 - /s /t {0} (PEHSTR_EXT)
 - \Programs\Discord (PEHSTR_EXT)
 - \tokens.txt (PEHSTR_EXT)
 - Local Storage\leveldb (PEHSTR_EXT)
 - DiscordGrabber (PEHSTR_EXT)
 - connection_trace.txt (PEHSTR_EXT)
 - child_process.execSync(`{0}${{__dirname}}/{1}/Update.exe{2}`) (PEHSTR_EXT)
 - require(__dirname + '/{3}/inject.js') (PEHSTR_EXT)
 - mfa\.(\w|\d|_|-){84} (PEHSTR_EXT)
 - (\w|\d){24}\.(\w|\d|_|-){6}.(\w|\d|_|-){27} (PEHSTR_EXT)
 - discordmod.js (PEHSTR_EXT)
 - preload.js (PEHSTR_EXT)
 - inject.js (PEHSTR_EXT)
 - DiscordToken (PEHSTR_EXT)
 - \LogCopy.txt (PEHSTR_EXT)
 - Software\Growtopia (PEHSTR_EXT)
 - \Microsoft\Windows\Start Menu\Programs\Discord (PEHSTR_EXT)
 - index.js (PEHSTR_EXT)
 - discord_desktop_core (PEHSTR_EXT)
 - discord_modules (PEHSTR_EXT)
 - \Growtopia\save.dat (PEHSTR_EXT)
 - https:\\\/\\\/i.ibb.co\\\/[A-z0-9]+\/[A-z0-9]+.jpg (PEHSTR_EXT)
 - SOFTWARE\Growtopia (PEHSTR_EXT)
 - GetSecurityDescriptorGroup (PEHSTR_EXT)
 - @shell32.dll (PEHSTR_EXT)
 - l32.dll (PEHSTR_EXT)
 - SCardDisconnect (PEHSTR_EXT)
 - c:\Cause\417\Organ\Out vi\grand.pdb (PEHSTR_EXT)
 - ggploeER.dl (PEHSTR_EXT)
 - DiscoRansomware2 (PEHSTR_EXT)
 - Runcount.cry2 (PEHSTR_EXT)
 - checkip.dyndns.org (PEHSTR_EXT)
 - .dolphin (PEHSTR_EXT)
 - \WetFish (PEHSTR_EXT)
 - Disconnet (PEHSTR_EXT)
 - \cfg.ini (PEHSTR_EXT)
 - \Discord (PEHSTR_EXT)
 - \discordcanary (PEHSTR_EXT)
 - \discordptb (PEHSTR_EXT)
 - httpClient (PEHSTR_EXT)
 - Discord Token Grabber (PEHSTR_EXT)
 - .matryoshka2 (PEHSTR_EXT)
 - .Baphomet2 (PEHSTR_EXT)
 - bapho.jpg (PEHSTR_EXT)
 - Discord Nitro Sniper (PEHSTR_EXT)
 - yourkey.key (PEHSTR_EXT)
 - ipinfo.io (PEHSTR_EXT)
 - DiscordBuild (PEHSTR_EXT)
 - GetDiscordPath (PEHSTR_EXT)
 - DiscordCanary (PEHSTR_EXT)
 - \d.\d.\d{2}(\d|$) (PEHSTR_EXT)
 - capGetDriverDescriptionA (PEHSTR_EXT)
 - Data\liblang.dll (PEHSTR_EXT)
 - LOG.DLL (PEHSTR_EXT)
 - Discord Climax Grabber (PEHSTR_EXT)
 - discordptb\Local Storage\leveldb (PEHSTR_EXT)
 - discord\Local Storage\leveldb (PEHSTR_EXT)
 - //test.co/tst (PEHSTR_EXT)
 - discordcanary (PEHSTR_EXT)
 - ScanDiscord (PEHSTR_EXT)
 - NoCry Discord (PEHSTR_EXT)
 - vssadmin delete shadows /all /quiet (PEHSTR_EXT)
 - NoCry.pdb (PEHSTR_EXT)
 - CommandLineToArgvW (PEHSTR_EXT)
 - Discord helper (PEHSTR_EXT)
 - .DDOS (PEHSTR_EXT)
 - PostHTTP (PEHSTR_EXT)
 - NitroRansomware. (PEHSTR_EXT)
 - .resources (PEHSTR_EXT)
 - .FancyLeaks (PEHSTR_EXT)
 - Discord Nitro (PEHSTR_EXT)
 - LegionLocker4._0 (PEHSTR_EXT)
 - Discord Free Nitro (PEHSTR_EXT)
 - CellManager.g.resources (PEHSTR_EXT)
 - CellManager.exe (PEHSTR_EXT)
 - aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
 - Discord Inc (PEHSTR_EXT)
 - zG}0(T9YH;SvW]%q,a/Ar1h+{*|)wprGE<m=Jfv%= (PEHSTR_EXT)
 - MprConfigServerDisconnect (PEHSTR_EXT)
 - DiscordFucker (PEHSTR_EXT)
 - /injector/permanant?webhook= (PEHSTR_EXT)
 - DiscordPTB (PEHSTR_EXT)
 - DiscordRule (PEHSTR_EXT)
 - discord_desktop_core\index.js (PEHSTR_EXT)
 - Local Settings\Application Data\Discord (PEHSTR_EXT)
 - wang2.pdb (PEHSTR_EXT)
 - This file was generated by libcurl! Edit at your own risk. (PEHSTR_EXT)
 - https://discord.com/api/webhooks (PEHSTR_EXT)
 - discordptb (PEHSTR_EXT)
 - wang.Properties.Resources (PEHSTR_EXT)
 - process.env.hook (PEHSTR_EXT)
 - StanGrabber.exe (PEHSTR_EXT)
 - \AppData\Roaming\Discord (PEHSTR_EXT)
 - SbieDll.dll (PEHSTR_EXT)
 - name="payload_json" (PEHSTR_EXT)
 - https://discordapp.com/api/v{0} (PEHSTR_EXT)
 - TryInitDiscord (PEHSTR_EXT)
 - KillDiscord (PEHSTR_EXT)
 - sendDiscordWebhook (PEHSTR_EXT)
 - [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84} (PEHSTR_EXT)
 - Discord Link :  v1.0.0-custom (PEHSTR_EXT)
 - ShellExecute (PEHSTR_EXT)
 - DiscordDevelopment (PEHSTR_EXT)
 - (mfa\.[a-z0-9_-]{20,})|([a-z0-9_-]{23,28}\.[a-z0-9_-]{6,7}\.[a-z0-9_-]{27}) (PEHSTR_EXT)
 - Discord Link (PEHSTR_EXT)
 - //cdn.discordapp.com/attachments/ (PEHSTR_EXT)
 - isDisconnected (PEHSTR_EXT)
 - xll-transfer.xll (PEHSTR_EXT)
 - DllMain (PEHSTR_EXT)
 - ClangCompileZ.dll (PEHSTR_EXT)
 - Save wget.exe to (PEHSTR_EXT)
 - CurrentVersion\Policies\Explorer (PEHSTR_EXT)
 - HttpAddRequestHeadersA (PEHSTR_EXT)
 - Discord: trx-roblox.com/discord (PEHSTR_EXT)
 - https://pastebin.com/raw/7rXZ9VNc (PEHSTR_EXT)
 - OxygenBytecode.dll (PEHSTR_EXT)
 - PuppyMilkV3.exe (PEHSTR_EXT)
 - AnemoDLL.dll (PEHSTR_EXT)
 - Please send this to helpers on our Discord server! (PEHSTR_EXT)
 - https://discord.gg/trxroblox (PEHSTR_EXT)
 - C:\h4x0r\Discord-Token-Grabber-master\Release\Token-Disc.pdb (PEHSTR_EXT)
 - discord.com (PEHSTR_EXT)
 - Injecting.. (PEHSTR_EXT)
 - DownloadDLL (PEHSTR_EXT)
 - GetCommandLineA (PEHSTR_EXT)
 - Please Go To #downloads In The Discord And Download The New Verison (PEHSTR_EXT)
 - https://pastebin.com/raw (PEHSTR_EXT)
 - discord.gg (PEHSTR_EXT)
 - C:\Users\dawns\source\repos\Zxno's Discord Tools\obj\Debug\Zxno's Discord Tools.pdb (PEHSTR_EXT)
 - DiscordWebhookProfile (PEHSTR_EXT)
 - MoveHis.txt (PEHSTR_EXT)
 - ShellExecuteW (PEHSTR_EXT)
 - HttpClient (PEHSTR_EXT)
 - System.Net (PEHSTR_EXT)
 - pLv8pJsxuO (PEHSTR_EXT)
 - folder.dll (PEHSTR_EXT)
 - DllRegisterClass (PEHSTR_EXT)
 - DllUnregisterServer (PEHSTR_EXT)
 - hhctrl.ocx (PEHSTR_EXT)
 - phinl.dll (PEHSTR_EXT)
 - proxyDiscoveryManager (PEHSTR_EXT)
 - DisconnectNamedPipe (PEHSTR_EXT)
 - 1.2.11 (PEHSTR_EXT)
 - Microsoft. (PEHSTR_EXT)
 - GetComputerNameA (PEHSTR_EXT)
 - situro701zh.dll (PEHSTR_EXT)
 - Fluxus V7.exe (PEHSTR_EXT)
 - Fluxus_IDE.Properties.Resources.resources (PEHSTR_EXT)
 - \RobloxPlayerBeta.exe (PEHSTR_EXT)
 - /C Inject.bat (PEHSTR_EXT)
 - \bin\Discord.Fluxus (PEHSTR_EXT)
 - DACInject.exe (PEHSTR_EXT)
 - rbxscripts.xyz (PEHSTR_EXT)
 - /FluxusTeamAPI.dll (PEHSTR_EXT)
 - DCRat.Code (PEHSTR_EXT)
 - CommandLineUpdate (PEHSTR_EXT)
 - DownloadAndExecuteUpdate (PEHSTR_EXT)
 - ZuMiner.pdb (PEHSTR_EXT)
 - System.Web.Services.Protocols.SoapHttpClientProtocol (PEHSTR_EXT)
 - LimerBoy/StormKitty (PEHSTR_EXT)
 - RobloxStudioBrowser\roblox.com (PEHSTR_EXT)
 - Fuck.That.Bitch.Karen.I.Take.Her.To.Court (PEHSTR_EXT)
 - DecryptDiscordToken (PEHSTR_EXT)
 - \passwords.txt (PEHSTR_EXT)
 - IRemoteTestDiscoveryService (PEHSTR_EXT)
 - CheckDiscordToken (PEHSTR_EXT)
 - Software\Unbefringed (PEHSTR_EXT)
 - Primitivitet50.Kny255 (PEHSTR_EXT)
 - Statsrettens29.Dis (PEHSTR_EXT)
 - Fragmenterende.Gte (PEHSTR_EXT)
 - Software\Kirkegaardsjordene\Tru\Donkeymndenes\Paralyseringernes (PEHSTR_EXT)
 - Kayoing.dll (PEHSTR_EXT)
 - Trkkrogenes.Ass (PEHSTR_EXT)
 - udgivelsesdage.ini (PEHSTR_EXT)
 - Absorbancy.unp (PEHSTR_EXT)
 - Discoplacental.Uno (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Uninstall\Flsen\Kattelems\Myggens58 (PEHSTR_EXT)
 - Spontanspillene.Pre (PEHSTR_EXT)
 - RosComNadzor (PEHSTR_EXT)
 - main.(*Client).NewSessiond (PEHSTR_EXT)
 - main.(*Client).ProcessingMessagesd (PEHSTR_EXT)
 - main.(*Client).MakeMessaged (PEHSTR_EXT)
 - main.(*Client).getMessagesFromServerd (PEHSTR_EXT)
 - main.(*Client).getOneMessageFromServerd (PEHSTR_EXT)
 - main.(*Client).Disconnectd (PEHSTR_EXT)
 - main.(*Client).Authd (PEHSTR_EXT)
 - main.(*Client).RandomSleep (PEHSTR_EXT)
 - set_UseShellExecute (PEHSTR_EXT)
 - ccsqs.exe (PEHSTR_EXT)
 - EvX.Common.DNS (PEHSTR_EXT)
 - BetterCall.Models (PEHSTR_EXT)
 - get_updateBat (PEHSTR_EXT)
 - ReverseProxyDisconnect (PEHSTR_EXT)
 - DiscoverSales_1.exe (PEHSTR_EXT)
 - Setup=doenerium-win.exe (PEHSTR_EXT)
 - AnyDesk.exe (PEHSTR_EXT)
 - Discord rat (PEHSTR_EXT)
 - SendMessageToDiscord (PEHSTR_EXT)
 - testing_web.pdb (PEHSTR_EXT)
 - take_screenshot (PEHSTR_EXT)
 - Discord Canary (PEHSTR_EXT)
 - atio.jpg (PEHSTR_EXT)
 - payload.encode() (PEHSTR_EXT)
 - .exe (PEHSTR_EXT)
 - TripleDESCryptoServiceProvider (PEHSTR_EXT)
 - domain := "otsoserver.otso.space (PEHSTR_EXT)
 - FileAppend, %yarliksdata%, %A_AppData%\Temporary\yarliksdata.log (PEHSTR_EXT)
 - A_AppData "\Temporary\shota.jpg (PEHSTR_EXT)
 - cdn.discordapp.com/attachments (PEHSTR_EXT)
 - Zeus.exe (PEHSTR_EXT)
 - api.f3d.at/v1/obfuscate.php?key= (PEHSTR_EXT)
 - OOmUsk2TTam2uE0SZ2.wMJVgumsf2DCfqlaKq (PEHSTR_EXT)
 - DonaldGrabber.dll (PEHSTR_EXT)
 - Discord.gg/suckguard_ (PEHSTR_EXT)
 - costura.discordmessenger.dll.compressed (PEHSTR_EXT)
 - \adria\Downloads\Discord-Grabber-main\Grabber\obj\Debug\Program.pdb (PEHSTR_EXT)
 - ,Failed to parse beacon response. Error code: (PEHSTR)
 - Heartbeat failed. Error code: (PEHSTR)
 - Truncated pipe server log file. (PEHSTR)
 - "Successfully uploaded C2 log file. (PEHSTR)
 - Discovered computer name: (PEHSTR)
 - ;Received empty intruction. Will forward to executor client. (PEHSTR)
 - #Failed to execute task. Error code: (PEHSTR)
 - get_ScanDiscord (PEHSTR_EXT)
 - cdn.discordapp.com/attachments/651522382200176690/660984792061313024/mapper_3.exe (PEHSTR_EXT)
 - cmd.exe (PEHSTR_EXT)
 - powershell.exe (PEHSTR_EXT)
 - C:\\Windows\\IME\\mapper.exe (PEHSTR_EXT)
 - software\grip\ (PEHSTR)
 - \InprocServer32 (PEHSTR)
 -  \Explorer\Browser Helper Objects (PEHSTR)
 - ClrSrch_Disconnect (PEHSTR_EXT)
 - /csie_usb_campaigns. (PEHSTR_EXT)
 - c:\csie_debug.txt (PEHSTR_EXT)
 - SOFTWARE\ClrSch (PEHSTR_EXT)
 - http://sds.clrsch.com/ (PEHSTR_EXT)
 - http://status.qckads.com/ (PEHSTR_EXT)
 - http://sds.qckads.com/sidesearch/ (PEHSTR_EXT)
 - csie_srchrule.dat (PEHSTR_EXT)
 - SOFTWARE\LYCOS\Sidesearch (PEHSTR_EXT)
 - /promo=%d&guid=%s (PEHSTR_EXT)
 - Lycos\IEagent (PEHSTR_EXT)
 - CSIE.DLL (PEHSTR_EXT)
 - IE_ClrSch.DLL (PEHSTR_EXT)
 - clrsch.com/loader (PEHSTR_EXT)
 - CLEARSEARCH.DLL (PEHSTR_EXT)
 - http://r%d.clrsch.com/ (PEHSTR_EXT)
 - http://r%d.clrsch.com/ie/ (PEHSTR_EXT)
 - eghtmldialer.dll (PEHSTR)
 - (http://network.nocreditcard.com/DialHTML (PEHSTR)
 - SOFTWARE\egroup (PEHSTR)
 - IEDiscoShowTime (PEHSTR)
 - TopMostIEDisco (PEHSTR)
 - instant access.exe (PEHSTR_EXT)
 - \mseggrpid.dl (FILEPATH)
 - \exedialer.exe (FILEPATH)
 - \nocreditcard.lnk (FILEPATH)
 - \downloaded program files\netslv32.inf (FILEPATH)
 - \instant access\center (FOLDERNAME)
 - \instant access\dialer (FOLDERNAME)
 - SOFTWARE\CLASSES\EGDHTML.EGDialHTML (REGKEY)
 - SOFTWARE\CLASSES\EGDialObject.EGDial (REGKEY)
 - SOFTWARE\CLASSES\EGDHTML.EGDialHTML.1 (REGKEY)
 - SOFTWARE\CLASSES\EGDialObject.EGDial.1 (REGKEY)
 - SOFTWARE\Classes\EGCOMSERVICE.EGComSvc (REGKEY)
 - SOFTWARE\Classes\EGCOMSERVICE.EGComSvc.1 (REGKEY)
 - SOFTWARE\Classes\EGCOMSERVICE2.EGComSvc2 (REGKEY)
 - wscript.exe boot.vbs (PEHSTR_EXT)
 - wscript (PEHSTR_EXT)
 - WinExec (PEHSTR_EXT)
 - wskrnlad.dll (PEHSTR_EXT)
 - wskrnlb.dll (PEHSTR_EXT)
 - PSAPI.dll (PEHSTR_EXT)
 - wskrnlac.dll (PEHSTR_EXT)
 - %s\shell\printto\%s (PEHSTR_EXT)
 - YOUR-EMAIL@-HERE-.COM (PEHSTR_EXT)
 - \\Admin-PC\ (PEHSTR_EXT)
 - Reports\ (PEHSTR_EXT)
 - <ActMonPro5@actmonpro.com> (PEHSTR_EXT)
 - Exiting StopProcess("explorer.exe") with failure (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (PEHSTR_EXT)
 - \\Admin-PC\ActMonReports\ (PEHSTR_EXT)
 - Please report to support2@ActMon.com (PEHSTR_EXT)
 - TAPI32.DLL (PEHSTR_EXT)
 - StartDispatchEXEProcess (PEHSTR_EXT)
 - %s PID:%d EXE:"%s" (PEHSTR_EXT)
 - SOFTWARE\Casiop (PEHSTR_EXT)
 - >Link Uninstall</a> (PEHSTR_EXT)
 - \disinstalla.htm (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform (PEHSTR_EXT)
 - %s%i.bat (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones (PEHSTR_EXT)
 - Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0 (PEHSTR_EXT)
 - cmdline: %s, _ShowAgr=%d, _Autost=%d (PEHSTR_EXT)
 - Mi sto disconnettendo... (PEHSTR_EXT)
 - %s %s %d %s                 [T%dT].url (PEHSTR_EXT)
 - Non riesco a creare la phonebook entry. (modem:%s) Errore %ld (PEHSTR_EXT)
 - %s /astart (PEHSTR_EXT)
 - Impossibile connettersi. Assenza di linea. Controllare che il modem sia acceso e connesso. (PEHSTR_EXT)
 - Nessun Modem Rilevato. Controllare e riprovare. (PEHSTR_EXT)
 - Nessun Dispositivo Rilevato o Errore. Controllare e riprovare. (PEHSTR_EXT)
 - Errore nel rilascio del certificato di attivazione. Transazione abortita. Nessun addebito verra' effettuato. (PEHSTR_EXT)
 - http://%s/?%s=%d (PEHSTR_EXT)
 - cmd /c ping 127.0.0.1 -n 2 && del " (PEHSTR_EXT)
 - /install.aspx?b=basicscan&d=opsdev (PEHSTR_EXT)
 - ROOT\SecurityCenter (PEHSTR_EXT)
 -   company: %s (PEHSTR_EXT)
 - Software\Microsoft\Internet Explorer\Extensions (PEHSTR_EXT)
 - application/x-www-form-urlencoded (PEHSTR_EXT)
 - <Url type="text/html" method="GET" template=" (PEHSTR_EXT)
 - ianzy</ShortName> (PEHSTR_EXT)
 - <ShortName>Zwunzi</ShortName> (PEHSTR_EXT)
 - <ShortName>FindBasic</ShortName> (PEHSTR_EXT)
 - Administrator\Application DataCLIENT (PEHSTR_EXT)
 - Software\Microsoft\Windows\CurrentVersion\Uninstall\Zumie (PEHSTR_EXT)
 - Copyright (c) 2007 Zumie.com (PEHSTR_EXT)
 - blinkopt.pdb (PEHSTR_EXT)
 - already installed. No need to install. (PEHSTR_EXT)
 - turns your browser address bar (the place where you generally type in web site addresses) into an Internet search box. (PEHSTR_EXT)
 - addresses) into an Internet search box. (PEHSTR_EXT)
 - bardiscover (PEHSTR_EXT)
 - browserdiscover (PEHSTR_EXT)
 - xhpc_composerid=u512260_3&xhpc_context=home&xhpc (PEHSTR_EXT)
 - batch[0][timestamp]=1333995680955 (PEHSTR_EXT)
 - -1782695666%40mail.projektitan.com (PEHSTR_EXT)
 - /me/friends?access_token= (PEHSTR_EXT)
 - tweak.tomdzon.com (PEHSTR_EXT)
 - \Superfish\WFP\Driver\Win8Release\x (PEHSTR_EXT)
 - \VDWFP (PEHSTR_EXT)
 - \Drivers\VDWFP.sys (FILEPATH)
 - \Drivers\VDWFP64.sys (FILEPATH)
 - \Lenovo\VisualDiscovery (FOLDERNAME)
 -  (x86)\Lenovo\VisualDiscovery (FOLDERNAME)
 - SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD\\Blob (REGKEY)
 - GoogleUpdateHelper.dll (PEHSTR_EXT)
 - /pid= (PEHSTR_EXT)
 - html_loader.exe (PEHSTR_EXT)
 - %you%\Explorer\%to%\%idea% (PEHSTR_EXT)
 - <SCRIPT>eval(BgScript);</SCRIPT> (PEHSTR_EXT)
 - loader.gif (PEHSTR_EXT)
 - progressbar.gif (PEHSTR_EXT)
 - ForceRemove {F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} = s 'TinyJSObject Class' (PEHSTR_EXT)
 - SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\% (PEHSTR_EXT)
 - \production (PEHSTR_EXT)
 - recompile (PEHSTR_EXT)
 - \multinstaller\ (PEHSTR_EXT)
 - \recompile\ (PEHSTR_EXT)
 - \bin\Release.Minimal\downloader.pdb (PEHSTR_EXT)
 - \bin\Release.Minimal\runner.pdb (PEHSTR_EXT)
 - \bin\Release.Minimal\officer.pdb (PEHSTR_EXT)
 - Checking HKLM\SOFTWARE\ (PEHSTR_EXT)
 - Microsoft\Windows\CurrentVersion\Uninstall\{ (PEHSTR_EXT)
 - installcollection.com/?HID=%HID%&BITS=%BITS%&PID= (PEHSTR_EXT)
 - Safari/537.17 (PEHSTR_EXT)
 - explorer.exe http://uninstall.mysafesavings.com (PEHSTR_EXT)
 - Microsoft\WindowsLogger\winlogger.exe (PEHSTR_EXT)
 - Software\MySafeSavings (PEHSTR_EXT)
 - jsXjif (PEHSTR_EXT)
 - jS3 (PEHSTR_EXT)
 - jsYjaf (PEHSTR_EXT)
 - network.proxy.type (PEHSTR_EXT)
 - http=%s:%s (PEHSTR_EXT)
 - .?AVCFindingDiscountApp@@ (PEHSTR_EXT)
 - \Microsoft\Savman\savman.exe (FILEPATH)
 - \Microsoft\WindowsLogger\winlogger.exe (FILEPATH)
 - \Microsoft\Windows\WindowsAccManager\smass.exe (FILEPATH)
 - \Microsoft\Windows\WindowsAccManager\account.exe (FILEPATH)
 - \Windows NT\Accessories\RuntimeManager\runtimemanager.exe (FILEPATH)
 -  (x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe (FILEPATH)
 - \MSSavings (FOLDERNAME)
 - \SafeSavings (FOLDERNAME)
 -  (x86)\MSSavings (FOLDERNAME)
 - \Windows Discount (FOLDERNAME)
 -  (x86)\SafeSavings (FOLDERNAME)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForSoftwarePacking.C!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
Filename: 45c6158d789c92df57cec8d280c88604d06de0d4119c49e5cd500542a0ad60b6
45c6158d789c92df57cec8d280c88604d06de0d4119c49e5cd500542a0ad60b6
26/06/2026
VirusTotalDownload Sample
Remediation Steps:
Immediately isolate the infected system, perform a full antimalware scan with up-to-date definitions, manually verify and restore the hosts file, and remove any suspicious startup entries or scheduled tasks. Re-imaging the system is recommended for complete eradication due to its deep system modifications.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 26/06/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$