Техническая информация
- [<HKLM>\SYSTEM\ControlSet001\Services\dmon] 'Start' = '00000000'
- [<HKLM>\SYSTEM\ControlSet001\Services\dmon] 'ImagePath' = 'System32\DRIVERS\dmon.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\DCOMRPC\Parameters] 'ServiceDll' = '<SYSTEM32>\dcomrpc.dll'
- [<HKLM>\SYSTEM\ControlSet001\Services\DCOMRPC] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\DCOMRPC] 'ImagePath' = '<SYSTEM32>\svchost.exe -k DcomRpc'
- '<SYSTEM32>\net1.exe' start "DCOMRPC"
- '<SYSTEM32>\svchost.exe' -k DcomRpc
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\_uninsep.bat" "
- '<SYSTEM32>\cmd.exe' /c echo 12345><SYSTEM32>\setup\tp32pt.dat
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\_unstart.bat" "
- '<SYSTEM32>\net.exe' start "DCOMRPC"
- <SYSTEM32>\services.exe
- NtDeviceIoControlFile, драйвер-обработчик: dmon.sys
- <SYSTEM32>\dconrpc.dll
- <DRIVERS>\dmon.sys
- %TEMP%\_uninsep.bat
- %TEMP%\_unstart.bat
- <SYSTEM32>\Setup\tp32pt.dat
- <SYSTEM32>\tp32pt.ini
- %TEMP%\154500_res.tmp
- <SYSTEM32>\config\SecEvent.Evt
- <SYSTEM32>\config\SysEvent.Evt
- <SYSTEM32>\config\AppEvent.Evt
- <SYSTEM32>\Setup\tp32pt.dat
- <DRIVERS>\dmon.sys
- %TEMP%\154500_res.tmp в <SYSTEM32>\dcomrpc.dll