Technical Information
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"
- %TEMP%\dm6331.tmp
- %TEMP%\rknrl.vbs
- %TEMP%\winstart.vbs
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.vbs"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\rknrl.vbs"' (with hidden window)
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\win.wsf"
- '<SYSTEM32>\wscript.exe' //B "%TEMP%\winstart.wsf"