Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] '%TEMP%\Winlogon.exe' = '%TEMP%\Winlogon.exe'
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '%TEMP%\Winlogon.exe' = '%TEMP%\Winlogon.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%TEMP%\Winlogon.exe' = '%TEMP%\Winlogon.exe:*:Enabled:Winlogon'
- '%TEMP%\Winlogon.exe'
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\shimgvw.dll,ImageView_Fullscreen %TEMP%\Norooz.jpg
- <SYSTEM32>\MSWINSCK.OCX
- %TEMP%\~DFB579.tmp
- %TEMP%\Winlogon.exe
- %TEMP%\~DF919E.tmp
- %TEMP%\Norooz.jpg
- %TEMP%\~DF919E.tmp
- '17#.#62.207.224':1369
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: 'ShImgVw:CPreviewWnd' WindowName: ''