Техническая информация
- [<HKLM>\System\CurrentControlSet\Services\npf] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\npf] 'ImagePath' = '%TEMP%\npf.sys'
- 'npf' %TEMP%\npf.sys
- <Текущая директория>\packet.dll
- <Текущая директория>\wpcap.dll
- %TEMP%\npf.sys
- %WINDIR%\temp\udd95d8.tmp
- global\npf_{6a52be73-ec8e-4f63-a268-7517a50dcb38}
- %WINDIR%\temp\udd95d8.tmp
- 'localhost':52013
- '%WINDIR%\syswow64\route.exe' print 0.0.0.0' (со скрытым окном)
- '%WINDIR%\syswow64\cmd.exe' /c "sc stop npf"
- '%WINDIR%\syswow64\sc.exe' stop npf
- '%WINDIR%\syswow64\cmd.exe' /c "sc delete npf"
- '%WINDIR%\syswow64\sc.exe' delete npf
- '%WINDIR%\syswow64\cmd.exe' /c "sc create npf type= kernel start= auto binpath= %TEMP%\npf.sys"
- '%WINDIR%\syswow64\sc.exe' create npf type= kernel start= auto binpath= %TEMP%\npf.sys
- '%WINDIR%\syswow64\cmd.exe' /c "sc start npf"
- '%WINDIR%\syswow64\sc.exe' start npf
- '%WINDIR%\syswow64\route.exe' print 0.0.0.0