Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\.Net CLR] 'ImagePath' = '%WINDIR%\Temp\winlogon.exe -k yygeym'
- [<HKLM>\SYSTEM\ControlSet001\Services\.Net CLR] 'Start' = '00000002'
- %WINDIR%\Temp\winlogon.exe
- 'lu###nzi.top':7007
- DNS ASK lu###nzi.top
- '%WINDIR%\Temp\winlogon.exe' -k yygeym