Hi Souradip,
It appears that the "C:\Windows\Temp\TMP0389A.tmp" file is a plain text file which contains the path to the following:
"%temp%\GoogleChrome"
As the article describes, the malware uses a combination of Windows APIs and code similar to what is found in some "open-source screengrabbing code," which appears to be primarily used for "benign screen-sharing package."
We have detection for these files as follows:
26466867557f84dd4784845280da1f27 - PS/Agent.x
d45931632ed9e11476325189ccb6b530 - RDN/Generic PWS.y
34404a3fb9804977c6ab86cb991fb130 - RDN/Generic.grp
I hope this helps!