master.easyanticheat.net( malware hosted in Sweden Power Och Random T-lane Ab)

DNS Lookup
Host Name IP Address
master.easyanticheat.net 80.67.10.234
Outgoing connection to remote server: master.easyanticheat.net TCP port 50301
Outgoing connection to remote server: 82.203.212.9 TCP port 50301
Outgoing connection to remote server: 78.47.251.150 TCP port 50301

Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “EnableBalloonTips” = [REG_DWORD, value: 00000001]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files C:DOKUME~1ADMINI~1LOKALE~1Tempeac_phqghu
C:DOKUME~1ADMINI~1LOKALE~1Tempeac_meayln
C:DOKUME~1ADMINI~1LOKALE~1Tempeac_lfdxfi
C:DOKUME~1ADMINI~1LOKALE~1Tempeac_rcvscx
C:WINDOWSsystem32driversetchosts
DeviceRasAcd
Opened Files .PIPElsarpc
c:run_EasyAntiCheat.cmd
C:WINDOWSsystem32driversetchosts
C:DOKUME~1ADMINI~1LOKALE~1Tempeac_meayln
C:DOKUME~1ADMINI~1LOKALE~1Tempeac_meayln
Deleted Files
Chronological Order Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempeac_phqghu
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempeac_meayln
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempeac_lfdxfi
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempeac_rcvscx
Open File: .PIPElsarpc (OPEN_EXISTING)
Find File: c:run_EasyAntiCheat.cmd
Open File: c:run_EasyAntiCheat.cmd (OPEN_EXISTING)
Open File: C:WINDOWSsystem32driversetchosts (OPEN_EXISTING)
Create File: C:WINDOWSsystem32driversetchosts
Open File: C:DOKUME~1ADMINI~1LOKALE~1Tempeac_meayln (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Tempeac_meayln (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

infos about hosting:
http://whois.domaintools.com/80.67.10.234

Categories: Uncategorized