Technical Information
- [<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] 'WinLogon' = '%WINDIR%\WinLogon.exe'
- User Account Control (UAC)
- Handler for all processes: %WINDIR%\ntdtcstp.dll
- %TEMP%\lol.jpg
- %TEMP%\rat.com
- %WINDIR%\winlogon.exe
- %WINDIR%\ntdtcstp.dll
- %WINDIR%\cmsetac.dll
- %TEMP%\rat.com
- DNS ASK rs#####des.no-ip.org
- '%TEMP%\rat.com'
- '%WINDIR%\winlogon.exe' \melt "%TEMP%\RAT.com"
- '%WINDIR%\winlogon.exe' \melt "%TEMP%\RAT.com"' (with hidden window)
- '<SYSTEM32>\vssvc.exe'
- '<SYSTEM32>\svchost.exe' -k swprv