+ windows shutdown event
|Description:||In Windows, the shutdown event triggered by WinLogon can be registered by an application to allow a malicious DLL a chance to execute every time a machine shuts down.
When the machine is shutdown the malware is loaded into memory. Then it downloads the primary malware and reinfects the machine. The malware will also lie dormant during incident reporting processes. HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify If the subkey doesn't exist you are in good shape. If a subkey with any name exists and it has a "shutdown" value then the dll in the "DLLName" key will be launched during the shutdown process.
|Associated Capabilities/Subcapabilities:|| Persistence
|Notes:||MM Notify CallBack (3/22/2013): https://isc.sans.edu/diary/Wipe+the+drive!++Stealthy+Malware+Persistence+-+Part+4/15460|