脅威リサーチ

12 月 1 日～ 12 月 8 日の 1 週間におけるマルウェアのまとめ

TALOS Japan
2017年12月13日

本日（12 月 8 日）の投稿では、12 月 1 日～ 12 月 8 日の 1 週間で Talos が確認した、最も蔓延している脅威をまとめています。これまでのまとめ記事と同様に、この記事でも詳細な分析は目的としていません。ここでは、脅威の主な行動特性、セキュリティ侵害の指標、そしてシスコのお客様がこれらの脅威からどのように保護されるかに焦点を当てています。

下記の脅威関連情報は、すべてを網羅しているわけではないこと、また公開日の時点に限り最新のものであることに留意してください。以下の脅威に対する検出とカバレッジは、今後の脅威または脆弱性分析により更新される場合があります。最新の情報については、Firepower Management Center、Snort.org、または ClamAV.net を参照してください。

今回紹介する最も一般的な脅威は次のとおりです。

Doc.Dropper.Agent-6394293-0
Office マクロダウンローダ
難読化された Office マクロのダウンローダで、悪意のあるペイロード（実行可能ファイル）のダウンロードを試みます。ダウンロード段階より先のサンプルをダウンロードできなかったので、これ以上の解析結果はありません。しかし興味深い点ですが、このサンプルでは onion.link プロキシサービスを使用して Tor サービスによるコールバックを試みています。
Doc.Macro.Obfuscation-6389653-0
Office マクロ
Emotet は VBA マクロ難読化手法を少し変更しており、中に含まれる PowerShell コマンドを難読化して存在を隠しています。難読化手法では、未使用の VBA API を（コード全体の量と比べて）多数活用しています。
>Doc.Macro.Obfuscation-6394435-0
ダウンローダ
悪意のある電子メールスパムを通じて配信される Valyria ダウンローダについて、これまでとは異なるパターンが特定されました。新パターンのマクロコードは、「AutoOpen」や「Shell」といった一部のキーワードを除けば、一般的な VBA コードとほとんど似ていません。悪意のあるコードの大部分は、長い一連のキャスト配列を通じて難読化されています。このキャスト配列には、Mid 関数によって大文字化された文字列や分割された文字列が含まれています。
Win.Packed.Agent-6395107-0
悪意のあるパッカー
この手の実行可能ファイルでは、Firefox のクレデンシャルを不正窃取する複数のマルウェアや「Zuzy」（銀行口座情報を盗み出すマルウェア）を送り込むことが最近確認されています。
Win.Trojan.CeeInject-6394235-0
Trojan（トロイの木馬）
これらのサンプルには「PoSeidon」マルウェアが含まれています。PoSeidon は、クレジットカード情報を収集する Point of Sale（PoS）マルウェアです。
Win.Trojan.Delf-6394424-2
Infostealer（情報窃取のマルウェア）
この種のマルウェアは、ブラジル国内のユーザを標的にしています。Adobe Acrobat Reader の更新ソフトウェアを装っており、クリップボード内部のデータを不正に取得します。キーボードやマウスを不正操作する機能も持ち合わせています。
Win.Trojan.GenCNs
Trojan（トロイの木馬）
典型的なトロイの木馬で、アドウェアとして振る舞うだけでなく、Dropper としても動作します。今回のサンプルでは、中国などの遠隔地にある Web サイトと通信して追加ファイルをダウンロード・実行し、別のプロセスのアドレス空間にコードを注入しようと試みることが確認されています。
Win.Trojan.Tinba-6390856-0
Trojan（トロイの木馬）
バンキング型トロイの木馬です。マンインザブラウザ（MITB）、Web インジェクション、トラフィック傍受などの攻撃手口により秘密情報（銀行口座のログイン情報など）を窃取します。

脅威

Doc.Dropper.Agent-6394293-0

侵害の兆候

レジストリ キー

ミューテックス

IP アドレス

ドメイン名

6vt4gbkwnjfnyo6g[.]onion[.]link
ypg7rfjvfywj7jhp[.]onion[.]link
yztnv4ha5rapf6gj[.]onion[.]link

作成されたファイルやディレクトリ

ファイルのハッシュ値

0099b9221eb92408f0b8bead5d703b5c7ecb11962f49f5e67f60725427318236
094842414f8029ea69cca6237b7758c2559dd553c98990cb4e8474e6653e0b9f
0b81075cc3ef1121f3eca801d2f821719a7cfa31e5d95081ec3feb195f44d8c6
0e9b2c7a5526c8d469c3e2183cd52a38d862773118d2401467c59472aaf17263
14a415384df11be5271c58e66474cb4326aaeb4af0035afce1d61f75eaf53db3
2e6523b856a9f40bf3cf851407f3003a6564a7fb5d86657781a03bbd30d63966
365d356b6d8d463ee4d6924b37acfecf16624a58d8d2e6a783a9ef289e74ace3
3ac9e97344506f3e443490eb6b0d5f877e0c8d4462ab9bf9544b5128aafc78bb
3cae4325b4b559431dba511779feadeff19433aed194511e4ea8f4ef676ac6c7
3cc669528549cc7394074ac3ffbaa6cf3eed14436a1653d70f54ca2b3d5cdead

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Umbrella

Screenshot

Doc.Macro.Obfuscation-6389653-0

侵害の兆候

レジストリ キー

N/A
ミューテックス
N/A

IP アドレス

ドメイン名

seoexpert4rank[.]com/yfu/
inade[.]mx/KoSZG/
1000id[.]ru/JtcKoSROv/
www[.]ra-lang[.]ch/gNFQe/
nts-tech[.]co[.]kr/RI/

作成されたファイルやディレクトリ

ファイルのハッシュ値

93900a04e4d7c629e03f3d510d249f1c8497cf94d818e0ae5913b685e467be6b
0a6d8c964286f1ec0173cde38caf3d5e36147945baaa83a0200e6f35f82446af
baf01275b874c04687f84d78451e41231b31bfc0e71995e124830ba63379fedd
5dbf9dc9341bd506eb2cdf5ec294c6c3029535424aa0a42e9b045cbd95c6d3df
0f236dccbbdb81b7724f71569eff462c6fb40658f1697331617a38074a99c6e8
d3e06e4d623b1bbf7b72ec709541c3b3fe66d09c4616c356cdc93240bd4b4c6a
a44450c9b8514dd5647128f55d2704889c87e852e3eaceea80734ae7bf8d9f49
46217dc4ef9fcef981be9a931995008f56b71e3f510721c33ed4b58b577e8fbb
4519c2f4fc0bc43cace2e70e464c00e7302e003262d7e6f903672becaba9e8ed

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Umbrella

Doc.Macro.Obfuscation-6394435-0

侵害の兆候

レジストリ キー

ミューテックス

IP アドレス

91[.]121[.]175[.]92
185[.]125[.]46[.]161
95[.]213[.]194[.]234
62[.]109[.]26[.]193

ドメイン名

smart-soft[.]pl

作成されたファイルやディレクトリ

\srvsvc
%Public%\95857.exe
%SystemDrive%\~$7369835.doc
%SystemDrive%\10001.exe

ファイルのハッシュ値

1879023e70e891830300f667e1d08f5d3712d313108795c0fc2234942fc525f4
189f27929e2ac19501e00b9bfefddd92aed496030af4dec597d7832b38c80d84
2054a559d38206a764ce41fcff3a581ca6501e69ea87fc551ad57575cdbc5f04
33a689526403786d393a27f65e288a817fda4b2cfe2a6b153d0bcfb6eb46c2a7
33b2b1ff14870f1d94d70921ab347ebeedd7bc680bbaab9fa500f76f775b34cb
404acc127b63c29d78bef4309711b4cce103e772ec5d69d0674876f1ca38a52d
6591be6105ffedee758410af2d9e6ae849cae900aea514facf42642b6743a62c
68d539f5e356adca4d9c2c5c79839567c2d1d633a4762dc7bd84a71bd684855d
7364757fd07097278b46d8943e7ab7cc787db37a0ec28bf6d22fa92eae78c633
a658d88baff44592b269b9bc64c4b69b16e44478d86a3a7cacc201be26574fa8
af732649a7f58fc1bc8c81d513e0936c042f12342d9d6da30ff2e4f30f5a949f
b0010bb2f93bfcccdeb51beff7ce67c4b84fbfd65f892ed828de0f75e84a7ddb
bc8bb9ae27cf534eeecbb8d41da1b48e33c8a222d793e16dcb10edfc792ac92f
c7d07eb16ecddfeaa812ad251210c2bdc1681e04ea585bf145f567f9575e6757
d322b11db04a9ecd13cea36438e591d2ddd8aa0f92b6a41bd5808d21e4854683
d35c4be48d34270cc43367e37a53d6ca5c29637fc7517d9b95b5ab8048a36062
dcc5cc23f492dee38ce7411daa8e0f89bb72dbfc89b7da3a6ca6a799e1f0f324
deb9f507b68ec8201318e3be8bc44a20d549a57981a07f25f687ad97ddf63c73
df79ffd3c6e157de55104b9ab3eb4a62ed341926bbaffbd2c9216895d5adfe26
e1fe9f1caee0a7adedcc8fbb3270388c54c694171d7b7ea6991b7d0b43cbcc40
e3c59888637ff64ea4418986c375b41b0b46168e8bffde3fc3606b0c212f712b
e67446529af580230d0f007e9805a93978885a440dc68029744d951db5b07914
f348c2fd327ad98abcb609e6e1555445cd90cd9488322aa769e2680e0aae6415
f68502a6a1920806528873682da860231f60a2146dd010d2cd63e042c6f80e28
faa0729ac6b3dc7cdfbeb5c042e4d9ff95ecfa51d1c3efdaf79560f9c27956b8

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Umbrella

Screenshot

Win.Packed.Agent-6395107-0

侵害の兆候

レジストリ キー

ミューテックス

3749282D282E1E80C56CAE5A
IP アドレス
52[.]76[.]169[.]66

ドメイン名

www[.]loki5[.]info
hkfb[.]01power[.]net

作成されたファイルやディレクトリ

ファイルのハッシュ値

085dbab7e810819bff0abe261e1d7015cbb4de4bb54261d547a7fa91e4d09d88
95966d29d229e3643a7670604daa0e3b0ffc4c7488eeca9b1b8268072b5e4b80
df77604366128916f33b09dbb2fdb14ff88563bf214cbb4fd65d695858fb15fc
3edef9b394c47000fcca8f62f9f43875b1691cd26db56013327735c224d0498f
111df72bee877678a03a98f57f59ef1f9614ff0fee6fbaa2cea120e0d452a009
918911a937295b041ef4cf59cdadc4de332161cde87bc83d7f87e7e0e3fdbaa5
89d660f623dc3b4a64986709076b0923c85a88d23648156badf61897d40970fb
4fedc2463dcf7d3bbac73858d35a85a06bbde28f42937f13c1908f4d360e8987
1b011c8b56701fe3ef08308320d2913548b2284c55c0f7cda8b9de32de76648c
5e243d5865898124260d1eaac4c5a0f8952919cbd07ecc18831dcd632666c122
a3c28f543dcb02e10a8172e7179eefb09281828cfb79a278ebbf969998866fa1
b266bf5879122f2a0ab8623f4c35bea290dab54acfe6e7c3ffde5dc09f75a630

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Umbrella

Win.Trojan.CeeInject-6394235-0

侵害の兆候

レジストリ キー

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：ProxyServer
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：_FileId_
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：ObjectName
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：Type
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：_Usn_
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- 値：ObjectLru
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：AeProgramID
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：DisplayName
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：AeFileID
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：ProxyBypass
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：AeFileID
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000095A9
- 値：AB6
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D4
- 値：ObjectLru
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：_FileId_
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：_UsnJournalId_
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：IntranetName
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：UNCAsIntranet
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\3A-57-D6-05-63-AB
- 値：WpadDecisionTime
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- 値：CachePrefix
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- 値：PnpInstanceID
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\11000000005DAF
- 値：AB5
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：_ObjectLru_
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- 値：ObjectId
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}
- 値：WpadDecision
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}
- 値：WpadDecisionTime
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：ErrorControl
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：_ObjectLru_
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\3A-57-D6-05-63-AB
- 値：WpadDecision
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：AutoDetect
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：IntranetName
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：AutoDetect
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- 値：CachePrefix
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\3A-57-D6-05-63-AB
- 値：WpadDetectedUrl
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：_ObjectId_
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- 値：DefaultConnectionSettings
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：ProxyBypass
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- 値：CachePrefix
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D4
- 値：ObjectId
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：ProxyEnable
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE
- 値：_CurrentObjectId_
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}
- 値：WpadDetectedUrl
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：_Usn_
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\3A-57-D6-05-63-AB
- 値：WpadDecisionReason
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：AeProgramID
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- 値：SavedLegacySettings
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}
- 値：WpadNetworkName
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
- 値：CurrentLru
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- 値：_UsnJournalId_
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：ProxyOverride
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- 値：10000000095A9
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- 値：_ObjectId_
<HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- 値：LanguageList
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：AutoConfigURL
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：WOW64
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}
- 値：WpadDecisionReason
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：Start
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINHOST
- 値：ImagePath
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- 値：11000000005DAF
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLs
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D4
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLs
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CRLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\SmartCardRoot
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\CA
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed
<HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000095A9
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WinHost
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CTLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\trust
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CRLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\3a-57-d6-05-63-ab
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\Indexes
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Root
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\My
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople
<HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\Indexes
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
<HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CTLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\Certificates
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\11000000005DAF
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CRLs
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\CA
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CRLs
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CTLs
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
<A>\{33CA8D6D-A479-11E7-BE8F-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{D9F0881D-8458-4CC2-AE9B-5472D27E0970}\3a-57-d6-05-63-ab
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs

ミューテックス

WinHostWD
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex

IP アドレス

144[.]217[.]254[.]90

ドメイン名

linturefa[.]ru

作成されたファイルやディレクトリ

%WinDir%\SysWOW64\WinHost.exe

ファイルのハッシュ値

daee59ee955587d378dd6dc11af1a702d554c7926a9f42bac3752732c33e9317
1a7de2ac4b22ca77acef5afe8e8b45dcc5150deb3408c8934221cfbbaee0655e
fe33dc8941a6cd8ef4f64af295c2066eb0974966dfb355b5dd57e0c277261033
62a22fb0f59578de3679f70a41c2971b384167aebb032dd782f1d23d27015aa3
b7ad41fbecce918894c0645aedbc60e4ac8daee24405b6a4957c98a728a14b9a
58e226e02f8dded4b24ae60d2524497083c3d0dafb02436df5209fa9e1061085
d065ba2603790329d31e35cd45538b693c77f9870d98c4656e490c1a5034a8fa
36d4800fb0bed77e59468ae9b732eb806d59999ec2832a72e0209473069af5b1
3507a76940a2e6c930882b5cde32d2f11ba48cc0e6bfd6e4771a973ebe9db5ab
952e29ae44bb49c78f2b3fcd8c13e22181bc0a610e36723e41b79f8c1147649f

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Umbrella

Win.Trojan.Delf-6394424-2

侵害の兆候

レジストリ キー

<HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- 値：SavedLegacySettings
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- 値：CachePrefix
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- 値：CachePrefix
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- 値：PnpInstanceID
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- 値：LanguageList
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- 値：CachePrefix

ミューテックス

IP アドレス

191[.]252[.]186[.]108

ドメイン名

作成されたファイルやディレクトリ

\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.chk
\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

ファイルのハッシュ値

04c3a321d00b8f54ae242969ede062ae10b8906ba5d7071fd0aa4f3b3b4ef73e
248b6182fe5aaa120a6ad009595a93bf9431cbcd3e723ad711aef9b2d4562abf
3b221118a4c2716c6c76ddc1b6b01866fcc2643d7c29e38279d6aa2dd27d60a7
3dde0bb92308140701cb61711dc7e7298baff68668d96d2db9390e2b691efeb9
44e27c54ae3dc4c4c228dc10389d2b28d1230a8933d61661271f4eaf65925b1f
482142f886ed2ee2610e2740695435e0488b5c7d6081daaeffdc93c87b6e2f93
4bdae37fe1f8dab61a16f406f08a3bbe1482cd1387351f23b29849e1de64875d
67ed3caf144d2b2dd0e8f0b6ed4de1e0ee4052e152cf32fdc22b9a3f8c935e67
75eecd86ca4cbc10e60a6b5dc85964374fd91b25f0ecf08dcb7cd96d726ec581
7a41c90ba46f40af093491c1f03fa64b36c6a10603c29a9af78540cde8440d60
8486ba3a5d2ae2297118de5f39770fb89227752bbe3e59f951cd0ef0bab8c5b5
9b6087e9607aa0149beecd97709d27cf2e3703fded3f7d31dd613a6d3f23ccaf
b17f8e85944768cc88c0a3b7103290c6eab820348103fa7a8a412af945e1d1dc
b7c8faa19fb394f42733df9c1bc7c5f0a5313ead7b0ec870c0db05f6e3baa910
c14055b23eb3a90e163962c9c70df3338bca68b67a615531ef40c6e8f8f6eabe
c45fabfd7e6f52fa519d8215ac1d569ca385bb4552eae82e63da4befa319f1d9
cc1eadad7810c4c94cdeebd63b7e54604253c4651c3a31bdf27dc96c189baa10
d44dff94eaf9ed08c7f4ef47e69e0a9b308ce49c8bc814b94b2c95c92ba53fc3
db1181dbda2b6053b008568b8f2f7b8a98cc3bd30fbea83ac8f69900d657e56f
f1db091fff240dd3d49f0d22d4809db237fda042cb7ddf7afc81a0430f5c4b8c
f6bad3bc203c29350726c32d2aad744479de84bc72e1ffed0ad8392e5dde43d0

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Screenshot

Win.Trojan.GenCNs

侵害の兆候

レジストリ キー

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
- 値：Type
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- 値：CachePrefix
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IEXPLORE
- 値：Count
<HKLM>\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\189271E573FED295A8C130EAF357A20C4A9F115E
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
- 値：Time
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
- 値：FullScreen
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpInterfaceOptions
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMAINSUGGESTION
- 値：NextUpdateDate
<HKLM>\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
- 値：Type
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
- 値：Count
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\EXTENSIBLE CACHE\MSHIST012017120620171207
- 値：CacheRepair
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：ProxyOverride
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
- 値：Type
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
- 値：Blocked
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TABBEDBROWSING\NEWTABPAGE
- 値：LastProcessed
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
- 値：Count
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
- 値：DhcpScopeID
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
- 値：Time
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- 値：CachePrefix
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpDomain
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：AutoDetect
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
- 値：Count
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- 値：DefaultConnectionSettings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：ProxyEnable
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\EXTENSIBLE CACHE\MSHIST012017120620171207
- 値：CacheLimit
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpNameServer
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\EXTENSIBLE CACHE\MSHIST012017120620171207
- 値：CachePath
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- 値：PnpInstanceID
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOWSSEARCH
- 値：Version
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TABBEDBROWSING\NEWTABPAGE
- 値：MFV
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpNameServerList
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：IntranetName
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：ProxyBypass
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLBLOCKMANAGER
- 値：NextCheckForUpdateLowDateTime
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
- 値：LoadTimeArray
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
- 値：CompatibilityFlags
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpNetbiosOptions
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
- 値：Collection
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
- 値：Blocked
<HKU>\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
- 値：Blocked
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IEXPLORE
- 値：Time
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\PENDINGRECOVERY
- 値：AdminActive
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：IntranetName
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
- 値：DhcpNameServer
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpSubnetMaskOpt
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\52DFG.COM
- 値：NumberOfSubdomains
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
- 値：LoadTimeArray
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
- 値：Type
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- 値：CachePrefix
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\EXTENSIBLE CACHE\MSHIST012017120620171207
- 値：CachePrefix
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
- 値：Time
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\ADMINACTIVE
- 値：{6C9F4A61-DA9E-11E7-BE93-00501E3AE7B5}
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
- 値：DhcpDomain
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E
- 値：LanguageList
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IEXPLORE
- 値：Type
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
- 値：Count
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\ADMINACTIVE
- 値：{00000000-0000-0000-0000-000000000000}
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLBLOCKMANAGER
- 値：NextCheckForUpdateHighDateTime
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
- 値：Time
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\BAIDU.COM
- 値：Total
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- 値：DhcpDefaultGateway
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
- 値：Time
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
- 値：Type
<HKLM>\SOFTWARE\WOW6432NODE\JAVASOFT\JAVA WEB START\1.6.0_41
- 値：Home
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：UNCAsIntranet
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- 値：ProxyBypass
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\EXTENSIBLE CACHE\MSHIST012017120620171207
- 値：CacheOptions
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- 値：SavedLegacySettings
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\52DFG.COM
- 値：Total
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：ProxyServer
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TABBEDBROWSING\NEWTABPAGE
- 値：DecayDateQueue
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
- 値：Window_Placement
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
- 値：Count
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMSTORAGE\BAIDU.COM
- 値：NumberOfSubdomains
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOMAINSUGGESTION\FILENAMES
- 値：en-US
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
- 値：{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\iexplore
<HKU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- 値：AutoConfigURL
<HKCU>\SOFTWARE\MICROSOFT\MULTIMEDIA\DRAWDIB
- 値：1024x768x24(BGR 0)
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLs
<HKCU>\Software\Microsoft\SystemCertificates\My
<HKU>\Software\Microsoft\CTF\TIP\{1188450c-fdab-47ae-80d8-c9633f71be64}\LanguageProfile\0x00000000\{63800dac-e7ca-4df9-9a5c-20765055488d}
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKCU>\Software\Microsoft\Internet Explorer\Toolbar
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKCU>\Software\Microsoft\SystemCertificates\trust
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CRLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\SmartCardRoot
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKCU>\Software\Microsoft\Internet Explorer\DOMStorage\baidu.com
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPeople
<HKLM>\SOFTWARE\RegisteredApplications
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed
<HKCU>\Software\Microsoft\Internet Explorer\DOMStorage\www.52dfg.com
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\EXTENSIBLE CACHE\MSHist012017120620171207
<HKCU>\Software\Policies\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CTLs
<HKCU>\Software\Microsoft\Internet Explorer\DOMStorage\pos.baidu.com
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKCU>\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CRLs
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
<HKCU>\Software\Microsoft\Internet Explorer\DOMStorage\52dfg.com
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\trust
<HKLM>\Software\Microsoft\SystemCertificates\trust
<HKCU>\Software\Microsoft\Internet Explorer\Main\WindowsSearch
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKU>\Software\Microsoft\Internet Explorer\Recovery\Active
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKU>\Software\Microsoft\Internet Explorer\International\CpMRU
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKCU>\Software\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKCU>\Software\Microsoft\SystemCertificates\Root
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLs
<HKCU>\Software\Microsoft\SystemCertificates\SmartCardRoot
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
<HKCU>\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CTLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKLM>\Software\Microsoft\SystemCertificates\CA
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
<HKLM>\Software\Microsoft\SystemCertificates\Disallowed
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\Certificates
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\Certificates
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKCU>\Software\Microsoft\Internet Explorer\DOMStorage\cpu.baidu.com
<HKU>\Software\Microsoft\Windows\ShellNoRoam\MUICache
<HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\Certificates
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CRLs
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\CA
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
<HKU>\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
<HKCU>\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKCU>\Software\Microsoft\Multimedia\DrawDib
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CRLs
<HKCU>\Software\Microsoft\Internet Explorer\Main
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
<HKCU>\Software\Policies\Microsoft\SystemCertificates\trust
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CTLs
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Disallowed
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\Certificates
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKCU>\Software\Policies\Microsoft\SystemCertificates\Disallowed
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
<HKCU>\Software\Microsoft\Internet Explorer\DOMStorage\Total
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\trust
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\CA
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLs
<HKCU>\Software\Microsoft\SystemCertificates\TrustedPeople
<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\Root
<HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
<HKCU>\Software\Microsoft\SystemCertificates\Disallowed
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
<HKCU>\Software\Microsoft\Windows Script\Settings
<HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUSTEDPEOPLE\CTLs

ミューテックス

!IECompat!Mutex
IsoScope_2f4_IESQMMUTEX_0_274
Local\URLBLOCK_DOWNLOAD_MUTEX
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_756
UpdatingNewTabPageData
IsoScope_2f4_IESQMMUTEX_0_331
Local\VERMGMTBlockListFileMutex
Local\DirectSound DllMain mutex (0x000006A8)
IsoScope_2f4_ConnHashTable<756>_HashTable_Mutex
!IEFileUpdater!Mutex
Local\InternetExplorerDOMStoreQuota
Local\URLBLOCK_HASHFILESWITCH_MUTEX
Local\ZonesLockedCacheCounterMutex
Local\https://cpu.baidu.com/
IsoScope_2f4_IESQMMUTEX_0_303
IsoScope_2f4_IESQMMUTEX_0_519
Local\https://pos.baidu.com/
!PrivacIE!SharedMem!Mutex
Local\MSCTF.Asm.MutexDefault1
{5312EE61-79E3-4A24-BFE1-132B85B23C3A}
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}
Local\!BrowserEmulation!SharedMemory!Mutex

IP アドレス

106[.]39[.]162[.]36
61[.]135[.]185[.]23
117[.]27[.]232[.]35
106[.]11[.]30[.]202
104[.]27[.]97[.]74
66[.]102[.]255[.]61
116[.]253[.]191[.]237
106[.]11[.]30[.]205
103[.]7[.]29[.]251
111[.]202[.]114[.]35
204[.]79[.]197[.]200
66[.]102[.]255[.]57
66[.]198[.]178[.]124
140[.]205[.]250[.]8
103[.]235[.]46[.]191
140[.]205[.]248[.]60
120[.]132[.]3[.]45
106[.]11[.]93[.]16
66[.]102[.]255[.]39
104[.]27[.]96[.]74
66[.]198[.]178[.]122
104[.]27[.]93[.]74
165[.]254[.]60[.]146
65[.]153[.]196[.]195
65[.]153[.]196[.]196
198[.]11[.]132[.]221
66[.]198[.]24[.]253
111[.]202[.]114[.]81
66[.]231[.]239[.]122
66[.]231[.]239[.]120
47[.]89[.]67[.]254
66[.]231[.]239[.]124
140[.]205[.]60[.]79
140[.]205[.]218[.]67
119[.]146[.]74[.]34
65[.]153[.]158[.]144
104[.]193[.]88[.]109
220[.]170[.]182[.]31
103[.]235[.]46[.]39
66[.]102[.]255[.]42
66[.]102[.]255[.]43
111[.]206[.]37[.]219
222[.]186[.]49[.]224
66[.]102[.]255[.]45
66[.]102[.]255[.]50
140[.]205[.]136[.]1
140[.]205[.]158[.]4
66[.]102[.]255[.]44
112[.]80[.]255[.]55
47[.]89[.]69[.]254
104[.]27[.]92[.]74
180[.]76[.]22[.]48
65[.]153[.]196[.]201
112[.]80[.]248[.]186
106[.]11[.]129[.]144
66[.]198[.]24[.]243
14[.]215[.]178[.]152
65[.]153[.]196[.]200
106[.]11[.]209[.]24
65[.]153[.]196[.]202
65[.]153[.]196[.]203
103[.]235[.]46[.]40
65[.]153[.]158[.]143
65[.]153[.]158[.]145
119[.]146[.]74[.]49
140[.]205[.]61[.]61
65[.]153[.]158[.]148
66[.]231[.]239[.]92
115[.]239[.]210[.]141
140[.]205[.]61[.]85
140[.]205[.]218[.]72

ドメイン名

www[.]taobao[.]com
fj[.]1235k[.]com[.]cname[.]yunjiasu-cdn[.]net
z13[.]cnzz[.]com
pos[.]baidu[.]com
static[.]fraudmetrix[.]cn
dfjs[.]1235k[.]com
f11[.]baidu[.]com
cm[.]pos[.]baidu[.]com
cpu[.]baidu[.]com
dup[.]baidustatic[.]com
gss1[.]bdstatic[.]com
cnzz[.]mmstat[.]com
zz[.]1235k[.]com
cpro[.]baidustatic[.]com
fp[.]fraudmetrix[.]cn
icon[.]cnzz[.]com
sslshare[.]jomodns[.]com
f12[.]baidu[.]com
wn[.]pos[.]e[.]shifen[.]com
imageplus[.]baidu[.]com
wmjs[.]jomodns[.]com
ope[.]tanx[.]com
ad-sh-sz-zb[.]wagbridge[.]tanx[.]alimama[.]com[.]gds[.]alibabadns[.]com
zz[.]1235k[.]com[.]cname[.]yunjiasu-cdn[.]net
webb[.]jomodns[.]com
gw[.]aicdn[.]com
opencdn[.]jomodns[.]com
publish-pic-cpu[.]baidu[.]com
eclick[.]baidu[.]com
atanx[.]alicdn[.]com
p[.]tanx[.]com
c[.]cnzz[.]com
apisoft[.]df0535[.]com[.]cname[.]yunjiasu-cdn[.]net
www[.]52dfg[.]com
dfjs[.]1235k[.]com[.]cname[.]yunjiasu-cdn[.]net
ope[.]gds[.]tanx[.]com
bzclk[.]e[.]shifen[.]com
fj[.]1235k[.]com
f10[.]baidu[.]com
wn[.]pos[.]baidu[.]com
hm[.]baidu[.]com
sp0[.]baidu[.]com
world[.]taobao[.]com
u755[.]v[.]qingcdn[.]com
cm[.]pos[.]e[.]shifen[.]com
simage[.]gshifen[.]com
z[.]gds[.]cnzz[.]com
cb[.]e[.]shifen[.]com
all[.]cnzz[.]com[.]danuoyi[.]tbcache[.]com
apisoft[.]df0535[.]com
bzclk[.]baidu[.]com
7xjnh3[.]com2[.]z0[.]glb[.]qiniucdn[.]com
caclick[.]baidu[.]com
atanx[.]alicdn[.]com[.]danuoyi[.]tbcache[.]com
z11[.]cnzz[.]com
imageplus[.]e[.]shifen[.]com
ecomcbjs[.]jomodns[.]com
cpu[.]e[.]shifen[.]com
open[.]t[.]qq[.]com
origin[.]open[.]qq[.]com
jpaasne[.]e[.]shifen[.]com
s4[.]cnzz[.]com
ieonline[.]microsoft[.]com
flashservice[.]adobe[.]com

作成されたファイルやディレクトリ

%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\thread-next[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\fb[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\avatar[1].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\style_1_forum_viewthread[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\ex[1].js
\TEMP\AppData\wwblist.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\checkonline.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\style_1_common[1].css
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@1235k[1].txt
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\px[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\avatar[2].htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\forum[1].js
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{775A3D20-DA9E-11E7-BE93-00501E3AE7B5}.dat
%AppData%\Microsoft\Windows\Cookies\MTSHQBBR.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\qq_share[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\bd_logo[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\u=1555995088,2202163700&fm=76[1].jpg
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\arw_r[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\stat[1].js
\TEMP\AppLink\sql.dll
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\avatar[1].htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\fm[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\MWWX7599.htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\userinfo[1].gif
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\jquery-1.8.3.min[1].js
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\showip.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\arw[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\detect[1].js
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF4E88.tmp
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C9F4A61-DA9E-11E7-BE93-00501E3AE7B5}.dat
%AppData%\Microsoft\Windows\Cookies\28944M2J.txt
\TEMP\gzcvaqtzdusmspytflzf.dfg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\showip.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\6108[1].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\fj_btn[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\search[1].png
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6C9F4A63-DA9E-11E7-BE93-00501E3AE7B5}.dat
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\avatar[5].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\noavatar_small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\log[1].gif
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\20171206005032_61527[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\nv[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\share_btn[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\md5[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\favicon[2].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\58d12356-49a1-4b13-8946-cf0414ecedd8[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\arw_r[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V0100010.log
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\thread-100646-1-1[1].htm
\TEMP\AppData\QS.db
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\59_avatar_middle[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\thread-next[1].png
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\print[1].png
%SystemDrive%\gpoigmfsdzfgohtecxlq.dfg (copy)
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\style_1_common[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\seditor[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\fav[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\avatar[4].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\jquery-1.8.3.min[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\avatar[3].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\avatar[1].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\pengyou[1].png
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\qmenu[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\ico_lz[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\avatar[2].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\highlight.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\pc_ads_bear.1x[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\adClosefeedbackUpgrade.min[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\switch_width[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\background[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\oshr[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\df_logo[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\qmenu[1].png
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@zz.1235k[1].txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\bg_rb[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\fastreply[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\i[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\53_avatar_small[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\avatar[3].htm
%AppData%\Microsoft\Windows\Cookies\IDOPFIC9.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\forum_viewthread[1].js
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{17DE33AB-DA76-11E7-800A-00007D8081C0}.dat
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\kindeditor-min[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\list-style-119[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\2f57811a-a7ec-49be-8a67-fcae1fecd305[1].jpg
%AppData%\Microsoft\Windows\Cookies\AZ8N99IZ.txt
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\background[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\editor[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\scrolltop[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\px[1].png
%AppData%\Microsoft\Windows\Cookies\AISN47QD.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\c[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\vchm[1].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\tongdun[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\u=4262931832,9247409&fm=76[1].jpg
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\fm[1].js
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\common[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\stat[1].htm
%AppData%\Microsoft\Windows\Cookies\FTBCR8D3.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\stick.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\DOMStore\R85DXRAK\cpu.baidu[1].xml
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dfg.dat
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\coreMobilePc[1].js
%SystemDrive%\AppData\QS.db
\TEMP\AppData\wwwlist.txt
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\logging[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\bump.small[1].gif
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@www.52dfg[2].txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\noavatar_middle[2].gif
%AppData%\Microsoft\Windows\Cookies\3BST8HRF.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\36_avatar_small[1].jpg
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\checkonline.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\style[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\hot_3[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\collection[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\cba256a9-f1e4-429e-a5c2-cade0a1ff7ad[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\profile[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\u=1130617034,1673256959&fm=76[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\u=725440160,1310097331&fm=76[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\avatar[1].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\open.small[1].gif
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\qq_login[1].gif
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\online_moderator[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\qzone[1].gif
%TEMP%\dfg.dat
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\avatar[4].htm
%AppData%\Microsoft\Windows\Cookies\GURHNPBW.txt
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{17DE33AA-DA76-11E7-800A-00007D8081C0}.dat
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\md5[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\weibo[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\fp[1].htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\pt_item[1].png
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\arw_l[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\default[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\pn_post[1].png
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\da98dd37-304c-4f34-8692-963ad9d3fb83
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\userinfo[1].gif
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\pn_post[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\dm[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\pn[1].png
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\jquery-1.8.3.min[1].js
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF274C.tmp
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\qshare[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\20171206005032_61527[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\tanxssp[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\settop[1].png
%SystemDrive%\AppData\QS.db-journal
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\wh[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\qq_login[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\hm[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\25_avatar_small[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\avatar[3].htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\search[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.chk
%SystemDrive%\AppLink\sql.dll
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\comm[1].js
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\nv[1].png
\TEMP\AppData\AppConfig.ini
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\fp[1].htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\hot_3[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\print[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\midavt_shadow[1].gif
%AppData%\Microsoft\Windows\Cookies\OL83W4WY.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\core[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\avatar[5].htm
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\pn[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\avatar[4].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\logging[1].js
%AppData%\Microsoft\Windows\Cookies\3QDRLGBW.txt
%AppData%\Microsoft\Windows\Cookies\BWJZDR10.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\arrow_top[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\home[1].js
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\imagestore\aowwxkh\imagestore.dat
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\locked[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\clear[1].swf
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\thread-prev[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\close.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\pc_ads.1x[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\cf2ca419-ddee-4d2b-856a-3354b551e5a3[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\o[1].htm
%SystemDrive%\287140881.exe
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\forum_viewthread[1].js
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\nv_a[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\common[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\232719bv8ve5cvzl1l8zls[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017120620171207\container.dat
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\arw_l[1].gif
\TEMP\ÈÕÖ¾\²Ù×÷ÈÕÖ¾2017Äê12ÔÂ6ÈÕ.txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\jquery-1.8.3.min[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\rar[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\pt_item[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\ad[1].gif
\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\DOMStore\ROKQPSRG\www.52dfg[1].xml
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\nv_a[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\namepost.small[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\pic1[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\avatar[2].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\arrwd[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\31_avatar_small[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\online_member[1].gif
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\u=2144616610,2983434978&fm=76[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\43_avatar_middle[1].jpg
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\fj_btn[1].png
\TEMP\AppData\qblist.txt
\TEMP\AppData\qwlist.txt
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\style[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\u=4083043643,3990593241&fm=76[1].jpg
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\switch_width[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\avatar[2].htm
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\u=1199205626,971402299&fm=76[1].jpg
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\ui[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1NSKV6K6\icon[1].gif
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\thread-100646-1-1[1].html
%SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@www.52dfg[1].txt
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\X1IF8CSM\comm[1].js
\TEMP\093477fa334791163629386b655b01a8284cf9826760b2dd9c3046e370ce026b.exe
%SystemDrive%\AppData\AppConfig.ini
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\TQM3V6S2\style_1_forum_viewthread[1].css
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\favicon[1].ico
%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6OG0LJ4F\df_logo[1].png
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\cb_pc[1].js
%SystemDrive%\ \ 2017 12 6 .txt
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\forum[1].js
\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\list-entry[1].js

ファイルのハッシュ値

093477fa334791163629386b655b01a8284cf9826760b2dd9c3046e370ce026b
32529dd47d10c539f3b8334ba849decf6b7707196ab8bcc893dd3e4aa4399c3e
354c9f630336cce0332558d73ae8000b62f61ca3eb7462e21183546f0da613b8
36992980b5db3833a294748ce2abe530b9313dad5b0a8094bf9b10106ecbf250
3e47b0d23d7e39af6759ca207d3307584862fe4181a6a4a54ea38cd45ce8c542

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

Screenshot

Win.Trojan.Tinba-6390856-0

侵害の兆候

レジストリ キー

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- 値：F9E7DE7B
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- 値：internat.exe
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run

ミューテックス

F9E7DE7B

IP アドレス

ドメイン名

作成されたファイルやディレクトリ

%AppData%\F9E7DE7B\bin.exe

ファイルのハッシュ値

cc235fb882372820d6232ba89455e5da28bc9b1877e528ac2397d280b0a7d5ff
baf4a030d51e688aebe5d190334f9751339e75b79c55e1ae9e277b7a33dd8808
17147dc9d03023c4772817b6904676eb9417be3294d998ba118bf0a9d1f0d6d6
afdcc240157e03a46e8141ee99b24e4d6bcbe37c2a8d1b30e6ea860496cc3352
eef6f6d965da6f45e376eb9e5e01451ea110466e4b02780625cd5170edad4119
52d0de1c298a088a0455941e1fe0e7894671db98338a34febf4f9870aa4f387c
bda3c8f957b7195dec6d5f2f4114022346aef9791ca434943876359d3d4f15e8
b3e98e2aed557dad670309692bdc0c6d7d580ea51933449ed01354bf2dd8ca3e

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

本稿は 2017年12月8日に Talos Group のブログに投稿された「Threat Round Up for Dec 01 – Dec 08 」の抄訳です。

Tags:

コメントを書く

12 月 1 日～ 12 月 8 日の 1 週間におけるマルウェアのまとめ

脅威

Doc.Dropper.Agent-6394293-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Doc.Macro.Obfuscation-6389653-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Doc.Macro.Obfuscation-6394435-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Packed.Agent-6395107-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.CeeInject-6394235-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.Delf-6394424-2

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.GenCNs

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.Tinba-6390856-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

シスコをフォロー

人気のコンテンツ

カテゴリー

おすすめサイト

関連リンク

12 月 1 日 ～ 12 月 8 日の 1 週間におけるマルウェアのまとめ

脅威

Doc.Dropper.Agent-6394293-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Doc.Macro.Obfuscation-6389653-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Doc.Macro.Obfuscation-6394435-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Packed.Agent-6395107-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.CeeInject-6394235-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.Delf-6394424-2

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.GenCNs

侵害の兆候

カバレッジ

検出時のスクリーンショット

Win.Trojan.Tinba-6390856-0

侵害の兆候

カバレッジ

検出時のスクリーンショット

登録

シスコをフォロー

人気のコンテンツ

カテゴリー

おすすめサイト

関連リンク

12 月 1 日～ 12 月 8 日の 1 週間におけるマルウェアのまとめ