Sabsik.FL_60 is a Virus. Virus is a type of malware that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive
Mutexes created
Directory level activity
File level activity- write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\jnduf.bat
- write - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\jnduf~.tmp
- delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\Start.bat
- delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\6e1b9c5bdd8b92f9c801c4f6cc62a632.bin
- delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\jnduf~.tmp
- delete - file - C:\DOCUME~1\TestMachine\LOCALS~1\Temp\jnduf.bat
Registry level activity- write - registry - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AssociationsModRiskFileTypes
Library level activity- load - library - KERNEL32
- load - library - kernel32.dll
- load - library - Ntdll.dll
- load - library - C:\gxrhj\dll\jCUQWZ.dll
- load - library - KERNEL32.DLL
- load - library - ADVAPI32.dll
- load - library - advapi32
- load - library - mscoree.dll
- load - library - gpupdate
- load - library - mscoree.dll
Process API calls used
- NtFreeVirtualMemory
- CreateProcessInternalW
- WriteProcessMemory
- ExitProcess
Registry API calls used
System API calls used
- LdrGetDllHandle
- LdrGetProcedureAddress
- LdrLoadDll
- LdrGetProcedureAddress
Filesystem API calls used
- CopyFileA
- NtOpenFile
- NtQueryInformationFile
- NtCreateFile
- NtWriteFile
- NtSetInformationFile
- NtWriteFile
Network
UDP source >> destination - 192.168.30.254 >> 192.168.30.6
- 192.168.30.6 >> 192.168.30.255
TCP source >> destination
Domains: DNS Request: HTTP Request: DLL related data Number of DLL's imported = 0
|