Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Windows Logon' = '"%APPDATA%\WindowsLogon.exe"'
- %APPDATA%\windowslogon.exe
- http://ip###odb.com/ip_query.php
- DNS ASK ip###odb.com
- DNS ASK ir#.##izyprod.fr
- '%APPDATA%\windowslogon.exe'
- '<SYSTEM32>\cmd.exe' /c cmd /c "%APPDATA%\WindowsLogon.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cmd /c cmd /c cmd /c copy "<Full path to file>" "%APPDATA%\WindowsLogon.exe"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c cmd /c cmd /c cmd /c copy "<Full path to file>" "%APPDATA%\WindowsLogon.exe"
- '<SYSTEM32>\cmd.exe' /c cmd /c cmd /c copy "<Full path to file>" "%APPDATA%\WindowsLogon.exe"
- '<SYSTEM32>\cmd.exe' /c cmd /c copy "<Full path to file>" "%APPDATA%\WindowsLogon.exe"
- '<SYSTEM32>\cmd.exe' /c copy "<Full path to file>" "%APPDATA%\WindowsLogon.exe"
- '<SYSTEM32>\cmd.exe' /c cmd /c "%APPDATA%\WindowsLogon.exe"
- '<SYSTEM32>\cmd.exe' /c "%APPDATA%\WindowsLogon.exe"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\dw20.exe' -x -s 1000