b3.scorevidic.net 92.243.29.231
* C&C Server: 92.243.29.231:5900
* Server Password:
* Username: VirUs
* Nickname: VirUs-bxyjsayd
* Channel: (Password: )
* Channeltopic:
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{13POP6M8-1MAD-24AD-JIM1-73OP5G2223335} “StubPath” = c:JAMACRAFTpop.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_CURRENT_USERSoftwareMicrosoftVisual Basic6.0 “AllowUnsafeObjectPassing”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoReport”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ShowUI”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “AllOrNone”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeMicrosoftApps”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeWindowsApps”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoTextLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeKernelFaults”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeShutdownErrs”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “NumberOfFaultPipes”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “NumberOfHangPipes”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “MaxUserQueueSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ForceQueueMode”
Enums
File Changes by all processes
New Files c:JAMACRAFTDeSKtOp.InI
c:JAMACRAFTpop.exe
c:JAMACRAFTpop.exe
DeviceRasAcd
Opened Files .PIPElsarpc
Deleted Files c:JAMACRAFTpop.exe
Chronological Order Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: c:JAMA Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: c:JAMACRAFT Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: c:JAMACRAFTDeSKtOp.InI
Set File Attributes: c:JAMACRAFTpop.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: c:JAMACRAFTpop.exe
Copy File: c:B5p.exe to c:JAMACRAFTpop.exe
Create/Open File: c:JAMACRAFTpop.exe (OPEN_ALWAYS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)