tmcn.gadarlar.net 93.190.140.115
* C&C Server: 93.190.140.115:6667
* Server Password:
* Username: tkcjkbb
* Nickname: [DEU|XP|958278]
* Channel: #infected (Password: infected)
* Channeltopic:
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Services” = marqi.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “Windows Services” = marqi.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:ecem.exe” = c:ecem.exe:*:Enabled:Windows Services
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “DisplayHeapPerfObject”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ProcessNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ThreadNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf2”
HKEY_PERFORMANCE_DATA “230 784”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “DisplayHeapPerfObject”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ProcessNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ThreadNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf2”
HKEY_PERFORMANCE_DATA “230 784”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicyAppPatch
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicy
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicyAppPatch
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicy
File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
DeviceGpc
DeviceTcp6
C:WINDOWSmarqi.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceGpc
DeviceTcp6
DeviceRasAcd
Opened Files .NTICE
c:ecem.exe.config
c:ecem.exe
.Ip
.PIPEEVENTLOG
.PIPEROUTER
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
.NTICE
C:WINDOWSmarqi.exe.config
C:WINDOWSmarqi.exe
.Ip
.PIPEEVENTLOG
.PIPEROUTER
C:WINDOWSmarqi.exe
Deleted Files
Chronological Order Open File: .NTICE (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: c:ecem.exe.config (OPEN_EXISTING)
Open File: c:ecem.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceGpc (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Open File: .PIPEEVENTLOG (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Get File Attributes: C:WINDOWSmarqi.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:ecem.exe to C:WINDOWSmarqi.exe
Set File Attributes: C:WINDOWSmarqi.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSmarqi.exe
Open File: .NTICE (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSmarqi.exe.config (OPEN_EXISTING)
Open File: C:WINDOWSmarqi.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceGpc (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Open File: .PIPEEVENTLOG (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: C:WINDOWSmarqi.exe (OPEN_EXISTING)