dc.studyingcenter-org.com(botnet hosted in China Beijing Chinanet Hebei Province Network)

dc.studyingcenter-org.com 123.183.217.32
dc.tvteam.info
dc.babypin.net
Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943
Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943
Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943
Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe
c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe
DeviceRasAcd
Opened Files .PIPElsarpc
Deleted Files c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: c:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
Set File Attributes: c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe
Copy File: c:efd67e124eb2137b4325b10a29146dca to c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe
Create/Open File: c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe (OPEN_ALWAYS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

infos about hosting:
http://whois.domaintools.com/123.183.217.32

Categories: Uncategorized