synyoshi.dyndns.info(botnet hosted with United States Walnut Psychz Networks)

– DNS Queries:

Name Query Type Query Result Successful Protocol
synyoshi.dyndns.info DNS_TYPE_A 173.224.219.21 YES udp

173.224.219.21:6667
Nick: n[XP-AUT]176146
Username: 8977
Joined Channel: #ganja#

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Update System” = C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Update System” = C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “Windows Update System” = C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer “PINF”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer “PINF”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files C:DOKUME~1ADMINI~1LOKALE~1Tempita1.tmp
C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
C:DOKUME~1ADMINI~1LOKALE~1Tempewa5.tmp
DeviceRasAcd
C:DOKUME~1ADMINI~1LOKALE~1Tempgoogle_cache2.tmp
Opened Files .PhysicalDrive0
c:Yoshiiiiiiii.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:Dokumente und EinstellungenAdministratorAnwendungsdaten
.PhysicalDrive0
C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
Deleted Files
Chronological Order Open File: .PhysicalDrive0 (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: c:Yoshiiiiiiii.exe (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempita1.tmp
Get File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:Yoshiiiiiiii.exe to C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
Set File Attributes: C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdaten ()
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatentaskeng.exe (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempewa5.tmp
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempgoogle_cache2.tmp Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempgoogle_cache2.tmp

infos about hosting:
http://whois.domaintools.com/173.224.219.21