Technical Information
- %APPDATA%\microsoft\windows\start menu\programs\startup\`.vbs
- %WINDIR%\syswow64\`.vbs
- %WINDIR%\syswow64\images.jpg
- <LS_APPDATA>\tempwinlogon.exe
- DNS ASK pa###bin.com
- '<LS_APPDATA>\tempwinlogon.exe'
- '%WINDIR%\syswow64\wscript.exe' "<SYSTEM32>\`.vbs"