The company registered behind the domain is Nice IT Services Group Inc. REGISTRANT CONTACT Organization:Nice IT Services Group Inc. State:Dominica Country:DM
Domain:31b4bd31fg1x2.org Registrar:Namesilo, LLC Registration Date:2018-06-29 Expiration Date:2019-06-29 Updated Date:2018-08-29 Status:clientTransferProhibited Name Servers:ns1.dendrite.network ns2.dendrite.network
Domain Name: 31B4BD31FG1X2.ORG Registry Domain ID: D402200000006634079-LROR Registrar WHOIS Server: whois.namesilo.com Registrar URL: www.namesilo.com Updated Date: 2018-08-29T03:47:18Z Creation Date: 2018-06-29T20:00:06Z Registry Expiry Date: 2019-06-29T20:00:06Z Registrar Registration Expiration Date: Registrar: Namesilo, LLC Registrar IANA ID: 1479 Registrar Abuse Contact Email: email@namesilo.com Registrar Abuse Contact Phone: +1.4805240066 Reseller: Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registrant Organization: Nice IT Services Group Inc. Registrant State/Province: Dominica Registrant Country: DM Name Server: NS1.DENDRITE.NETWORK Name Server: NS2.DENDRITE.NETWORK DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
The site to which it was making requests http://31b4bd31fg1x2.org/ https://wiki.theory.org/index.php/BitTorrentSpecification
https://github.com/fireice-uk/xmr-stak
I am keeping the thread in case someone faces the same trouble
Find svchostc.exe (not svchost.exe) in task manager & delete it from the original location. Also, clean up the registry & delete temporary files from %temp% The svchostc.exe executed the following bat files and downloaded the virus files in the temp folder and all is history.
This is the crypto wallet details I found "pool_list" : [ {"pool_address":"23.152.0.126:443", "wallet_address":"x", "rig_id" : "", "pool_password" : "x", "use_nicehash" : false, "use_tls" : false, "tls_fingerprint" : "", "pool_weight" : 1 }, ], "currency" : "bestalgo7",