Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'DameWare MRC Agent' = '<SYSTEM32>\DWRCST.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\DWMRCS] 'ImagePath' = '<SYSTEM32>\DWRCS.EXE -service'
- [<HKLM>\SYSTEM\ControlSet001\Services\DWMRCS] 'Start' = '00000002'
- '<SYSTEM32>\DWRCST.exe' 6129
- '<SYSTEM32>\DWRCST.exe' -ConsoleLock
- '<SYSTEM32>\DWRCS.EXE' -service
- <SYSTEM32>\DWRCS.EXE
- <SYSTEM32>\DWRCK.DLL
- %TEMP%\DWD125250\DWRCSP.cfg
- %TEMP%\DWD125250\DWRCSU.cfg
- <SYSTEM32>\DWRCST.exe
- <SYSTEM32>\DWRCST.exe.manifest
- <SYSTEM32>\DWRCShell.dll
- <SYSTEM32>\DWRCSET.dll
- %TEMP%\DWD125250\DWRCSI.DLL
- %TEMP%\DWD125250\DWRCS.EXE
- %TEMP%\DWD125250\DWRCK.dll
- %TEMP%\DWD125250\DWRCS.cfg
- %TEMP%\DWD125250\DWRCSSet.cfg
- %TEMP%\DWD125250\DWRCST.exe.manifest
- %TEMP%\DWD125250\DWRCShell.dll
- %TEMP%\DWD125250\DWRCSET.dll
- %TEMP%\DWD125250\DWRCST.exe
- %TEMP%\DWD125250\DWRCShell.dll
- %TEMP%\DWD125250\DWRCSET.dll
- %TEMP%\DWD125250\DWRCSI.DLL
- %TEMP%\DWD125250\DWRCST.exe.manifest
- %TEMP%\DWD125250\DWRCST.exe
- %TEMP%\DWD125250\DWRCK.dll
- %TEMP%\DWD125250\DWRCSU.cfg
- %TEMP%\DWD125250\DWRCSP.cfg
- %TEMP%\DWD125250\DWRCSSet.cfg
- %TEMP%\DWD125250\DWRCS.EXE
- %TEMP%\DWD125250\DWRCS.cfg
- 'localhost':6129