To install the malware as a service, run the malware’s exported
installA function via rundll32.exe with
To run the malware, start the service it installs using the net command
net start IPRIP.
Use Process Explorer to determine which process is running the service. Since the malware will be running within one of the svchost.exe files on the system, hover over each one until you see the service name, or search for Lab03-02.dll using the Find DLL feature of Process Explorer.
In procmon you can filter on the PID you found using Process Explorer.
By default, the malware installs as the service
a display name of
Intranet Network Awareness (INA+) and description of “Depends INA+, ...