The method is the Winlogon Shell registry value. It can be changed by so-called skins or replacement shells with the users consent, but in this case it was done without consent. The installer is a file called Hotstar.exe and was submitted to us by a fellow researcher. We suspect the file was hosted on the site amiga[dot]tech, because of two reasons. After opening the two browser windows the installer tells you its done- and it triggers a reboot of the system.”]
Source: https://blog.malwarebytes.com/cybercrime/2016/05/tech-support-scammers-using-winlogon/