Техническая информация
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] 'winmonitor' = '<SYSTEM32>\update32.exe'
- [<HKLM>\SYSTEM\ControlSet001\Services\wincahh] 'Start' = '00000002'
- '<SYSTEM32>\cmd.exe' /c <SYSTEM32>\del.bat
- '<SYSTEM32>\runonce.exe' -r
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\f7362f43-a055-4f08-ac0f-dba05f6019d4
- %WINDIR%\inf\INFCACHE.0
- <SYSTEM32>\del.bat
- %WINDIR%\inf\wincah0.PNF
- %WINDIR%\inf\wincahr.PNF
- <SYSTEM32>\wincahh.SYS
- <SYSTEM32>\wincahh.INF
- <SYSTEM32>\wincahh.dat
- C:\4dir
- %WINDIR%\inf\wincahr.INF
- %WINDIR%\inf\wincah0.INF
- <SYSTEM32>\wincahhd.SYS
- <DRIVERS>\wincahr.SYS
- %WINDIR%\inf\INFCACHE.2 в %WINDIR%\inf\OLDCACHE.000
- %WINDIR%\inf\INFCACHE.1 в %WINDIR%\inf\INFCACHE.2
- C:\4dir в <SYSTEM32>\update32.exe