Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'testgame.exe' = '%TEMP%\testgame.exe'
- %TEMP%\testgame.exe
- %APPDATA%\CRNJEUFU_2018_8_10
- %TEMP%\testgame.exe
- 'wp#d':80
- 'pa###bin.com':443
- http://11#.#11.111.1/wpad.dat via wp#d
- DNS ASK wp#d
- DNS ASK pa###bin.com
- '%TEMP%\testgame.exe'
- '<SYSTEM32>\schtasks.exe' /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'%TEMP%\testgame.exe'"
- '<SYSTEM32>\schtasks.exe' /Delete /tn LimeRAT-Admin /F