Cisco Japan Blog
Share

6 月 1 日 ~ 6 月 15 日の 1 週間におけるマルウェアのまとめ


2018年6月26日


本日の投稿では、6 月 1 日~ 6 月 15 日の 1 週間で Talos が確認した最も蔓延している脅威をまとめています。これまでのまとめ記事と同様に、この記事でも詳細な分析は目的としていません。ここでは、脅威の主な行動特性、セキュリティ侵害の指標に焦点を当て、シスコのお客様がこれらの脅威からどのように保護されるかについて説明しています。

下記の脅威関連情報は、すべてを網羅しているわけではないこと、また公開日の時点に限り最新のものであることに留意してください。脅威に対する検出とカバレッジは、今後の脅威または脆弱性分析により更新される場合があります。最新の情報については、Firepower Management Center、Snort.org、または ClamAV.net を参照してください。

今回紹介する最も一般的な脅威は次のとおりです。

  • Dropper.Johnnie-6567758-0
    Dropper
    Johnnie(別名 Mikey)は永続性に重点を置いたマルウェア ファミリであり、プラグイン アーキテクチャとして知られています。
  • Dropper.Yakes-6563213-0
    Dropper
    このマルウェア ファミリは、HKLM\Software\Microsoft\CurrentUser\Run にレジストリ エントリを追加することでターゲット システムに永続性を設定します。また、 Windows ファイアウォール ルールを変更して DLL に外部との通信を許可する netsh.exe も使用します。
  • Dropper.Prepscram-6571863-0
    Dropper
    Prepscram は、その他の不要なソフトウェアをインストール可能なソフトウェア バンドルです。
  • Dropper.Scar-6563211-0
    Dropper
    Scar は、複数の金融関連の Web サイトでユーザのログイン クレデンシャルの窃盗を試みるリモート アクセスのトロイの木馬です。
  • Dropper.Gandcrab-6574655-0
    Dropper
    GandCrab は Windows マシンを標的とするランサムウェアで、暗号化したファイルを回復させるために、仮想通貨「Dash」での支払いを要求します。ほぼ恒常的に開発されており、作成者は新しいバージョンを精力的なペースでリリースしています。

脅威

WIN.DROPPER.JOHNNIE-6567758-0

侵害の兆候

レジストリ キー

  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\4F8A903B98DDC9436D66B555E49D04A498A2C0E6
    • 値:Blob
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES\WTBHOV INSTANCE
    • 値:Altitude
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES\WTBHOV INSTANCE
    • 値:Flags
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:ImagePath
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:DisplayName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値: St
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:ErrorControl
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:WOW64
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:Group
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV
    • 値:Type
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES
    • 値:4F8A903B98DDC9436D66B555E49D04A498A2C0E6
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES
    • 値:DefaultInstance
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP6\PARAMETERS
    • 値:DisabledComponents
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • 値:atimode
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • 値:shield_count
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • 値:set_pt
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK
    • 値:set_bl
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\COMPATIBILITY ASSISTANT\PERSISTED
    • 値:C:\Users\ADMINI~1\AppData\Local\Temp\n1s\nchsetup.exe
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • 値:DisableTaskOffload
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\NETWORK\FILESERVICE
    • 値:igfxmtc_time
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\NETWORK\FILESERVICE
    • 値:Liveup
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • 値:PnpInstanceID
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\4F8A903B98DDC9436D66B555E49D04A498A2C0E6
  • <HKLM>\Software\Microsoft\WBEM\CIMOM
  • <HKCU>\Software\Classes\Local Settings\MuiCache
  • <HKCU>\Software\Classes\Local Settings\MuiCache\3e\52C64B7E
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES\wtbhov Instance
  • <HKLM>\SOFTWARE\WOW6432NODE\NCH SOFTWARE\ExpressAnimate
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\wtbhov
  • <HKLM>\SOFTWARE\WOW6432NODE\NCH Software
  • <HKLM>\SOFTWARE\Wow6432Node
  • <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Root
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\Instances
  • <HKLM>\Software\Wow6432Node\NCH Software\ExpressAnimate
  • <HKCU>\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Network\FileService
  • <HKLM>\SOFTWARE\CLASSES
  • <HKLM>\Software\Microsoft\SystemCertificates\Root

ミューテックス

  • N/A

IP アドレス

  • 45[.]77[.]68[.]17
  • 45[.]32[.]78[.]78
  • 45[.]63[.]57[.]87
  • 173[.]192[.]16[.]184
  • 174[.]37[.]56[.]249

ドメイン名

  • gpt9[.]com
  • optcdn[.]com
  • www[.]userbest[.]com
  • optitm[.]com

作成されたファイルやディレクトリ

  • %WinDir%\TEMP\UDD25E0.tmp
  • %LocalAppData%\Temp\F08B.tmp
  • %LocalAppData%\igfxmtc\igfxmtc.exe
  • %LocalAppData%\Temp\EF04.tmp
  • %LocalAppData%\Temp\EDDB.tmp.exe
  • %LocalAppData%\Temp\F251.tmp
  • %LocalAppData%\igfxmtc
  • %LocalAppData%\Temp\n1s\nchdata.cab
  • %WinDir%\TEMP\UDD1615.tmp
  • %LocalAppData%\Temp\n1s\nchsetup.cab
  • %LocalAppData%\avknwbh\dowmload.tmp
  • %WinDir%\TEMP\UDD359B.tmp
  • %LocalAppData%\Temp\n1s\nchsetup.exe
  • %WinDir%\TEMP\UDD1E02.tmp
  • %WinDir%\TEMP\msidntfs\SSL\cert.db
  • %WinDir%\TEMP\UDD2DBD.tmp
  • %LocalAppData%\Temp\EDDB.tmp
  • %AppData%\NCH Software\ExpressAnimate\Logs
  • %WinDir%\TEMP\UDDF579.tmp
  • %System32%\vsakdwi\cweubpd.exe
  • %System32%\drivers\auswkvge.sys
  • %System32%\vsakdwi\cweubpddrv.sys
  • %LocalAppData%\Temp\F0AB.tmp
  • %AppData%\NCH Software\ExpressAnimate
  • %WinDir%\TEMP\msidntfs\SSL\SecureTrust Network Root CA 2.cer
  • %LocalAppData%\Temp\n1s
  • %WinDir%\SysWOW64\vsakdwi
  • %System32%\vsakdwi\cweubpd.sys
  • %System32%\vsakdwi
  • %LocalAppData%\avknwbh
  • %WinDir%\TEMP\UDDE28.tmp
  • %WinDir%\TEMP\msidntfs
  • %WinDir%\TEMP\msidntfs\SSL
  • %AppData%\NCH Software
  • %LocalAppData%\Temp\n1s\nchdata.dat
  • %LocalAppData%\Temp\EE1B.tmp
  • %LocalAppData%\igfxmtc\dowmload.tmp

ファイルのハッシュ値

  • 9eedaac111db1f28fc90300e2ecf417368595ebca2763a211fe1bb356527f06e
  • 8de212ff8c8364cfce48bf818b245eaf46db049e2fb4f48b4ef839d6160ed245
  • 023789cfc258b2d9bae00e94de0f1ee96f33f20a98415421d63f64be90e4b236
  • 5308ee082f975bd750aefa0c1cad84a517a48a7dcc1e72ad665e2a6ae1a6e73c
  • 6ee5b5dcc0bbf0ea59be2a87d413f31c7775b44fa50787c6fef594f34666e757
  • 6964abdc0a2daed0a51ca023392ac96b809584a8f1e9014f159e670e2b4b12af
  • 9e9b6c508e2d483b6ca8461a9629e9f0f7b452c7463248bc8879b880a5cb40cf
  • cb9be6bbc4bf545cdbfb87585289197202bcd5cfb31aa88813bad0277756a175
  • a14c508538dba4e05fcac66ddcfc1aaf4454507907523ba7d0983380e0a153da
  • 3f78f88330bfd6eaa889ffc2332b91235a4fb8bb364d0b076b6ebfb51f8f02ef
  • 87ee726e7e84443d44cfcaaf2151938d7cbb04b2dbb60669c6a843ecf51588e6
  • c10e952f5ad87ee0685409c2f6855009e069b181ad7e155f118f524e09de621a
  • d89080318573953ea0e0c2654a14252c70daa368ed3c81f6fd1aaeb2b2bcdeeb
  • 2ecf1771778fce31ff2c6004c3601be6d372189166fec6511a0f393fb684bff0
  • 36b5297734e9ca147c71985b649d0f49fcc0324d2b61cefda1135fd9a5ffa0d2
  • 25c14e5ea990fee7091433ea8050caecb60be93c81d54100506ed23bb472bb8e
  • 62e97b12781c36ac029176ce7b10cbfcf6fd58ff4552025aa1d8fc60bcde4bee
  • d7e0958d2eaa5f17e0ffc2ee6a4549401c30b381499df3a52384ef04023e0c80
  • 26e6871828aba6f30916bbcc6d8d60d9320f11d791993fe7fec1c7ecfa1cd733
  • 1ff912cfaf566f4e5a76a8a53f5e423a78df1dc9e187c5485b894665f847e563
  • 0e73d31d6db3dd82988313fe3f463891b24d0e41286d93a89df6a8a56aeccc8c
  • 2c874006199614655a153045793254888ceb0d0aa68c0d40b56351f54b0fab68
  • 6491f8c7234d1a92befb8eb01c8c7ff981b3a51cd5a4eb187e82911a01ae3327
  • 5fbe25ba6c8e8a52932053adaa22028ac2ddc3f14b187884bd40f8a0f3d02cf8
  • 50dcb2e7e9f7443099dc66ea5f0c1c73f25af3425c7365fc8f58ec43b0f28d71

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

 

WIN.DROPPER.YAKES-6563213-0

侵害の兆候

レジストリ キー

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value:?strght
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig

ミューテックス

  • N/A

IP アドレス

  • N/A

ドメイン名

  • N/A

作成されたファイルやディレクトリ

  • N/A

ファイルのハッシュ値

  • 169fe9e796839d98dd0f00264bad976ac2b5c0771d66a66514854c65656f2e54
  • ecac7c8ec814eb19822ce5e93696d766cc991b827c918088866f44bfcebdd710
  • c9edd7a71859740afbc817868f500cc2ed319d8f0127b7d4ecf89e83cc307482
  • c21a3833cad6f3c196ee70d0343939221106b219dde1481fea5ae7a48b32c4a0
  • 53721e54bf9a6e35ec1558c4d3237db12db995f3d89a2cb05e06dcb3b82cb14c
  • fc6fc2eb348727f9dd1a66a69811bc2b1441d46f2eca1eb1d34aa27dc42aca94
  • c2545d675a7d05c41111e7f6196daf51470612f6db65b320e0aea556027d89b7
  • a4a3bec19ffc852d04f8b11edd6713338076802e1335d5939e21231b30d66b31
  • 90d861b3500e776c25e31c1a4f6af656415f6071944ba65efa039e642330403e
  • 9cdd4b4358fb08a04c622e3bf8e825cb87a703249973136279e20045bcfecf00
  • d4bee61d84fa1a7724e2425f8296619575ef7131448708d9939fa69ec574b197
  • c2f06095fab6aee3aa19d6c30dca75e926fc01abcd21a74f2d50fa2a8804ec59
  • 72e5d84c4c66c1b180443d1f54fb6cd874fb4cddd9572f6daba90fba02e9e1ea
  • f835993c01842ca78326ac5816c64a90381e8fe804c0ef38d2329c39340ea16d
  • a8425ab94da9ca3f5dc7e3e7d125ccef26ef1cfbeffa06f9be0992c6402d919e
  • 013e0f21218183e916f5eea20c7d1b2c0d391b19c7b7bcee4a1e5540c0f9048a
  • 5a77aa50590e70924a869a0a74aae5f4172e0d383f1490453553a05e2dac0244
  • e735ccd69bd3f87773641b54a959cdfe660994c192ca768083c7fbc8e43b084d
  • 1658bccda90ea8ecae77dcfa4e62629c269f8497b8bdd3caf53c314ac62e8264
  • 8d5dbba983ff17ba948863dee51cf989ceea7ac9154dfdee77f0e0f3641530b8
  • abc2f0170a32507c0229181a010fbee77af068234da4ffb7573970e190eeb4c4
  • 2a956f95d05aacf75be964cfae884cb2b4a7540e8f5314e41aade641f09a0d22
  • 3909dd2aedae70911ba19b7124e30a74e9c81bb3da4f6f95f8340dbff95dd3c4
  • bd97233242fa610fd53b7d4ce308f55c8c6b0653aca021f7be02c2ca830d30bb
  • d8c8f1f779ed9f089e33405c30c04021b17fa6ee5d1f679e958bd1894db2c692

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

 

WIN.DROPPER.PREPSCRAM-6571863-0

侵害の兆候

レジストリ キー

  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value:?PnpInstanceID

ミューテックス

  • N/A

IP アドレス

  • 52[.]85[.]146[.]150

ドメイン名

  • bush[.]basinafterthought[.]bid

作成されたファイルやディレクトリ

  • N/A

ファイルのハッシュ値

  • 14a27e53d748dd5a180f31283a24c420e0cf201f7deaf77140c9e07954fbc7e1
  • e5946260399e55af6a5e21a696c3790e7aaf6653869b73885ab7b93116dff677
  • 71e6dc866c630348249bad46b5d34036a576a108b8b69f36984f4195882a02e5
  • a1d8ff6306950d4a55402737a42f613a0eccc5fce66c7aa0a60d11c2ca598525
  • f91c4b1034ea7a193aef5ce586a1f6ba84e735b55bef91d9f4559816b40c3321
  • eb732a01f5f2a3fda038a10ce62a0f1d3068aaaed4ee2b44f351007f4c063a7d
  • ed114bd563038ca504de06b1a0629c493d886d6419205da69eb9730f82688050
  • faefcf1da92c7c554dfef22e4f719f73517ae636af0b47b319635239af6657d4
  • e7010999238fd3cc2cc144b4ba09e0affc6362811cd76d27dd55848b266f6388
  • fbc0a54ab9d6e1317867d478f765c4648ee0c3f156a4aaf29d851fa20b48d61f
  • f7d7d01c4812ba9cf1fa71958dd395b120ae9a420437767b4ff9aec2455d0447
  • e47008ae92769ad08f74ef5ff7b6f97b0b018479adff00a5041b02adb71f3bf8
  • d7fe56e6ce270a796adb2d14db0d2d4c7b02845737fa1973c6f790eefc3260ac
  • 5c1d23211ee3e6fe222ad1e017aa56f00cdfb64678f1ffb457489e70dbbfa511
  • bad3de4948f6a8c08555cd0224713fa7dac6c5845548ee4148cc486a6cd49adf
  • afce18cdd76a0e3e36dd2d9639fa1ba4f616952c1cc69e1d06089155d773a947
  • 01b2027c7a7e3888eb84a0e7c3bacf95b9b6e8da7a79bc578464ec9627f7a9e0
  • bc879aed2577aa152064a167e312287d59575d510f7a56eda7aa66e170baae80
  • f4eef29cd1e43843cfc1d0533d2c518dbbb5982093d6d1c6f576e02549e28b60
  • 42691432711dfe36fcb46fbf93395e41bcb7afc7c6b57bf7295471dbf1928e9a
  • 4431eebcb86a10222171eb6b678ae19bd59aef22644a842681469dbd2ab85e4c
  • 3bc6b0ea5ea71bbb67be5d06fb4d6bc7f5398f11bf2802bd381a645033e45922
  • 6ff6df3020263a78db2719e427e037264873559522b49506b7532fb72c8ceec1
  • 6fd913f9e1684e763628aa1faab9b414688f62692db53b3d6edcdb041a598445
  • 98a1804a57bb382d7b68128f282c8186046e8d7ffa71f7a955cdeb16ad1c8239

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

 

WIN.DROPPER.SCAR-6563211-0

侵害の兆候

レジストリ キー

  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • 値:Shell
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
    • 値:AddToFavoritesInitialSelection
  • <HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY
    • 値:AddToFeedsInitialSelection
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Mutexes

  • N/A

IP アドレス

  • N/A

ドメイン名

  • N/A

作成されたファイルやディレクトリ

  • %UserProfile%\kxyk.exe
  • %SystemDrive%\TEMP\papi.dmp

ファイルのハッシュ値

  • 819b64dbecbfaa4274e096740c033bd118391e000124c42028a5dadff6a2b6b2
  • 10f4d71c51b53e87fb855f85cb2066c0611786b4f27bf030a969e2b696e0ac84
  • 55a2c8b5e5528bfd05136b3759ac2ff967145706f88dc331c92bf2e65e3c2053
  • b4e421f1af2fa82aa5c1489dea77cefc69125e16631fe19d6e4d30329186dba3
  • 48464c8b5d71fe2689065e051e16275e8eda04fe502991d84840c662d4ce19da
  • c9a1facd73f2d0d3ef0f86c6069a1deae2e35d2a010ca9a4953e32d749d59936
  • e61ad12a6bc35d1cfe82665168eed4083b13693fe7512826f3740367edbfa52b
  • b76762ebb156f1cceaa5d76c880cded3d8e2ed577ba45aaf1459c2a2b1b6a287
  • ad0500c90ba5cad4e4bad229f8ea18f97bb6e61112b2770804d8d9171fd5e812
  • a8aef06b777086b2de7c77fc1c9c4a41f876116d96141799be4a600e3a6b5881
  • 2e933578bb4d9e9e76617f593ebd51b6e5bc91773da879c7a56a0e982539ad98
  • 604f529ae774f625bdd0a35ecea90256793d70e14dc04c9ca1fb9197122e8cd6
  • 3d49eda19ce2fd612a516b677511b193b43e27f4e21d0d979d3be02db8846fc8
  • 9599162f12785563da8afc8e119a671e0e7c499579c83d6bf8f614328761b282
  • 3bbc0ca58b107ffebc14d3cc8a9dc21583b5d8e9bec257e057c2549dc9b4ab5d
  • 77f20318e906d4347194b2bbb0ac957e375577653aad2b2bab20b40f0c5f0f26
  • 36058bac712a7a5a72aa4b30d5d473cda298c66028d2fa42628a0a44fa0d9775
  • 6d33fb8cc44e1e33b2dfcd4e315c510a47dec57a0835d93504803f8623c0605e
  • a7801a51c772e4768bb745626b7649891eb33b132f8882ae61726a9abf885e55
  • de9d7b3c017d241d4fe483025d2e6c35377384c50bcc01cb8f49ab5a38f9263e
  • 1572f8b9f6e2a23e1e1acec696112271ec3e1516471989a8ff640f40a1c304ff
  • 61ec6a1beec7fb5386f11692f06179960d26e8367b241d9e5609dbe043d30763
  • 718e8a1114f6a6c5e0ba5c52cf2c17fa1ec9486497acb1253ee868beacceb4fc
  • 4772ecd2c9b219dacd5614c5ad9ad5f6c92253bd36e318a61c8ea2b42c9d0421
  • 8047b535f1a3c1eb1cfb02e66746d0d70dabd2a973e0edfd4525305e40b9737a

 

カバレッジ

検出時のスクリーンショット

AMP

Threat Grid

 

WIN.DROPPER.GANDCRAB-6574655-0

 

侵害の兆候

レジストリ キー

  • <HKU>\.DEFAULT\CONTROL PANEL\DESKTOP\MUICACHED
    • 値:MachinePreferredUILanguages
  • <HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • 値:@ieframe.dll,-12512
  • <HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • 値:LanguageList
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021493-0000-0000-C000-000000000046}\ENUM
    • 値:Implementing
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:ProxyServer
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:AutoDetect
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:ProxyOverride
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:ProxyEnable
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:AutoConfigURL
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
    • 値:CleanShutdown
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • 値:AutoConfigURL
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • 値:SavedLegacySettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • 値:DefaultConnectionSettings
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:DisplayName
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:URL
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:Deleted
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:SuggestionsURL
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:TopResultURL
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:FaviconURL
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:SuggestionsURLFallback
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:FaviconURLFallback
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
    • 値:TopResultURLFallback
  • <HKCU>\CONTROL PANEL\KEYBOARD
    • 値:InitialKeyboardIndicators
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\VERSIONMANAGER
    • 値:FirstCheckForUpdateHighDateTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\VERSIONMANAGER
    • 値:FirstCheckForUpdateLowDateTime
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SUGGESTED SITES
    • 値:DataStreamEnabledState
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SUGGESTED SITES
    • 値:MigrationTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
    • 値:CompatBlockPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
    • 値:NewInstallPromptCount
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • 値:ShutdownFlags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
    • 値:Count
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
    • Value:?Blocked
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
    • 値:Type
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
    • 値:Time
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • 値:CachePrefix
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021494-0000-0000-C000-000000000046}\ENUM
    • 値:Implementing
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\HIVELIST
    • 値:\Registry\User\S-1-5-21-2580483871-590521980-3826313501-500
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\HIVELIST
    • 値:\Registry\User\S-1-5-21-2580483871-590521980-3826313501-500_Classes
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:IntranetName
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\SHUTDOWN
    • 値:Comment
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\SHUTDOWN
    • 値:ReasonCode
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES
    • 値:88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES
    • 値:2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:UNCAsIntranet
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:AutoDetect
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:ProxyBypass
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:IntranetName
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • 値:bxchnkordot
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:IntranetName
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000004
    • 値:ObjectLru
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000004
    • 値:ObjectId
  • <HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000001
    • 値:ObjectLru
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000001
    • 値:ObjectId
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
    • 値:3000000010875
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • 値:SavedLegacySettings
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • 値:DefaultConnectionSettings
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\ADMINACTIVE
    • 値:{50743781-67B4-11E8-8419-00501E3AE7B5}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\ADMINACTIVE
    • 値:{00000000-0000-0000-0000-000000000000}
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY
    • 値:LastAliveStamp
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY
    • 値:6005BT
  • <HKLM>\SOFTWARE\MICROSOFT\WBEM\CIMOM
    • 値:ProcessID
  • <HKLM>\SOFTWARE\MICROSOFT\WBEM\CIMOM
    • 値:LastServiceStart
  • <HKLM>\SOFTWARE\MICROSOFT\WBEM\CIMOM
    • 値:PreviousServiceShutdown
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\PENDINGRECOVERY
    • 値:AdminActive
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
    • 値:WpadDetectedUrl
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
    • 値:WpadDecisionTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
    • 値:WpadDecision
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
    • 値:WpadNetworkName
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
    • 値:WpadDecisionReason
  • <HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB
    • 値:Top
  • <HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB
    • 値:Left
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SETUP
    • 値:UrlHistoryMigrationTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SETUP
    • 値:HaveCreatedQuickLaunchItems
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021494-0000-0000-C000-000000000046}\ENUM
    • 値:Implementing
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOWSSEARCH
    • 値:Version
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
    • 値:CompatBlockPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
    • 値:NewInstallPromptCount
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000067F9
    • 値:1
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
    • 値:Count
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
    • 値:Blocked
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
    • 値:Type
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
    • 値:Time
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpNetbiosOptions
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpNameServerList
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\3000000010875
    • 値:2
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • 値:DhcpDomain
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • 値:DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • 値:SoHRequest
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18
    • 値:WpadDetectedUrl
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18
    • 値:WpadDecisionTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18
    • 値:WpadDecision
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18
    • 値:WpadDecisionReason
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\STORAGE
    • 値:HotplugSecurityDescriptor
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\STORAGE
    • 値:Deny_Execute
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMGMT\PARAMETERS
    • 値:ServiceDllUnloadOnStop
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP
    • 値:ChangeNotice
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
    • 値:Count
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
    • 値:Blocked
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
    • 値:Type
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
    • 値:Time
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
    • 値:RunLogonScriptSync
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500
    • 値:RefCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES
    • 値:SecuritySafe
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • 値:PnpInstanceID
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • 値:CachePrefix
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:_FileId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:_ObjectLru_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:_Usn_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:_ObjectId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:AeFileID
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:_UsnJournalId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
    • 値:AeProgramID
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:_FileId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:_ObjectLru_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:_Usn_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:_ObjectId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:AeFileID
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:_UsnJournalId_
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
    • 値:AeProgramID
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
    • 値:10000000067F9
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AUTHENTICATION\LOGONUI\LOGONSOUNDPLAYED
    • 値:LogonUIChecked
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
    • 値:Collection
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC
    • 値:IsTabletPC
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC
    • 値:DeviceKind
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\WDI\CONFIG
    • 値:ServerName
  • <HKU>\.DEFAULT\CONTROL PANEL\DESKTOP
    • 値:Wallpaper
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021493-0000-0000-C000-000000000046}\ENUM
    • 値:Implementing
  • <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY
    • 値:PastIconsStream
  • <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY
    • 値:LastAdvertisement
  • <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY
    • 値:UserStartTime
  • <HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY
    • 値:IconStreams
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
    • 値:NewInstallPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
    • 値:CompatBlockPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
    • 値:Version
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
    • 値:VerCache
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE
    • 値:_CurrentObjectId_
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\TABLET PC
    • 値:IsTabletPC
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
    • 値:Count
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
    • 値:Blocked
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
    • 値:Type
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
    • 値:Time
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
    • 値:DhcpScopeID
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:ProxyBypass
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • 値:IntranetName
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • 値:CachePrefix
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
    • 値:Count
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
    • 値:Blocked
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
    • 値:Type
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
    • 値:Time
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    • 値:NewInstallPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    • 値:CompatBlockPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    • 値:Version
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    • 値:Flags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
    • 値:VerCache
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • 値:CachePrefix
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{DA4DADDD-6AF1-499A-91BB-269032006D4F}
    • 値:SoHRequest
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLBLOCKMANAGER
    • 値:NextCheckForUpdateLowDateTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLBLOCKMANAGER
    • 値:NextCheckForUpdateHighDateTime
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
    • 値:_IndexName_
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
    • 値:FullScreen
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
    • 値:OperationalData
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
    • 値:CompatibilityFlags
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
    • 値:ImageStoreRandomFolder
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
    • 値:Window_Placement
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORKLIST\NLA\CACHE\INTRANET
    • 値:{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    • 値:CompatBlockPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
    • 値:NewInstallPromptCount
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
    • 値:{ED50FC29-B964-48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
    • 値:{17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
    • 値:CurrentLru
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpDomain
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpDefaultGateway
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpSubnetMaskOpt
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:SoHRequest
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • 値:DhcpInterfaceOptions
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • 値:CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:Sort
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:ColInfo
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:ItemPos1024x768x96(1)
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:GroupByDirection
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:LogicalViewMode
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:FFlags
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:GroupView
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:GroupByKey:PID
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:IconSize
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:ItemOrder
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:Mode
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:GroupCollapseState
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP
    • 値:GroupByKey:FMTID
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STUCKRECTS2
    • 値:Settings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STREAMS\DESKTOP
    • 値:TaskbarWinXP
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
    • 値:CompatBlockPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
    • 値:NewInstallPromptCount
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
    • 値:KnownProvidersUpgradeTime
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
    • 値:DownloadRetries
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
    • 値:DefaultScope
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES
    • 値:DefaultPackCorrection
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • 値:CachePrefix
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1\Indexes
  • <HKLM>\SOFTWARE\WOW6432NODE\Microsoft
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Setup
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\Settings
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0a-64-3c-54-a8-18
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
  • <HKU>\.DEFAULT\Software\Microsoft\Feeds
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive
  • <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\UrlBlockManager
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic
  • <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\CA
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch
  • <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
  • <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
  • <HKLM>\SOFTWARE\CLASSES
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\Component Categories64
  • <HKU>\.DEFAULT\Software\Microsoft\F12
  • <HKU>\.DEFAULT\Software
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
  • <HKU>\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000004
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000001
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Passport
  • <HKU>\.DEFAULT\SOFTWARE\APPDATALOW\SOFTWARE\Microsoft
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}\0a-64-3c-54-a8-18
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021494-0000-0000-C000-000000000046}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021493-0000-0000-C000-000000000046}
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
  • <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\Windows
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000067F9
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry
  • <HKU>\.DEFAULT\SOFTWARE\APPDATALOW\Software
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum
  • <HKLM>\Software\Microsoft\Windows\CurrentVersion\Reliability\shutdown
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
  • <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Root
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\3000000010875
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\Component Categories
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
  • <HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\My
  • <HKU>\.DEFAULT\Software\AppDataLow
  • <HKLM>\SOFTWARE\Microsoft\ESENT\Process\318730135\DEBUG
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Main
  • <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
  • <HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WBEM\CIMOM
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MenuOrder
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager
  • <HKLM>\Software\Wow6432Node
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • <HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Reliability
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
  • <HKCU>\SOFTWARE\Microsoft\CTF\MSUTB\
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\EUPP\DSP
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic
  • <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\COM+ REGDB Writer
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2\Indexes
  • <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\ASR Writer
  • <HKLM>\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LogonSoundPlayed
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\Stats
  • <HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
  • <HKLM>\Software\Microsoft\WBEM\CIMOM
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021494-0000-0000-C000-000000000046}
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
  • <HKU>\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft
  • <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Explorer
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\GPU
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\Discardable
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\Recovery
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\PostSetup
  • <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\ObjectTable
  • <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WBEM
  • <HKCU>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\UserDefined
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
  • <HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
  • <HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites
  • <HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore
  • <HKU>\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer
  • <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Registry Writer
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Explorer
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021493-0000-0000-C000-000000000046}
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP

ミューテックス?

  • \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4

IP アドレス

  • 95[.]170[.]220[.]66
  • 185[.]242[.]190[.]97
  • 190[.]35[.]242[.]126
  • 13[.]107[.]21[.]200
  • 138[.]201[.]14[.]197
  • 109[.]166[.]237[.]170
  • 81[.]4[.]163[.]122
  • 95[.]43[.]11[.]180
  • 66[.]171[.]248[.]178
  • 154[.]35[.]132[.]71

ドメイン名

  • 1[.]0[.]168[.]192[.]in-addr[.]arpa
  • ns1[.]wowservers[.]ru
  • carder[.]bit
  • www[.]torproject[.]org
  • ipv4bot[.]whatismyipaddress[.]com
  • ns2[.]wowservers[.]ru
  • ransomware[.]bit

作成されたファイルやディレクトリ

  • %LocalAppData%\Temp\pidor.bmp
  • %AppData%\Microsoft\Document Building Blocks\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\AddIns\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\User\Document Themes\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\19CDHY5T\CRAB-DECRYPT.txt
  • %UserProfile%\Cookies\CRAB-DECRYPT.txt
  • %SystemDrive%\Recovery\926583e2-ef64-11e4-beed-d6738078ad98\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Internet Explorer\imagestore\aa4x2ky\imagestore.dat
  • %AppData%\Microsoft\gktngn.exe
  • %AppData%\Microsoft\Internet Explorer\UserData\N03JH1M1\CRAB-DECRYPT.txt
  • %AppData%\Media Center Programs\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Office\Recent\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\sidenav-arrow[1].gif
  • %AppData%\Microsoft\Templates\LiveContent\User\Document Themes\1033\CRAB-DECRYPT.txt
  • %UserProfile%\Favorites\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\OneNote Notebooks\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\asay[1].htm
  • %LocalAppData%\Temp\~DF9ADF51BEE85B3E02.TMP
  • %AppData%\Macromedia\Flash Player\macromedia.com\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\onion[1].jpg
  • %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\webapps\CRAB-DECRYPT.txt
  • %SystemDrive%\TEMP\CRAB-DECRYPT.txt
  • %LocalAppData%\Temporary Internet Files\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Vault\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Proof\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\Low\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery-migrate-1.0.0.min[1].js
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\download-easy.html[1].htm
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\uipleiss[1].htm
  • %AppData%\Microsoft\Spelling\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Firefox\Crash Reports\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Word\CRAB-DECRYPT.txt
  • %ProgramFiles% (x86)\Microsoft SQL Server Compact Edition\v3.5\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Access\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\button-downloadpage[1].png
  • %AppData%\Microsoft\Templates\LiveContent\Managed\Document Themes\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Acrobat\9.0\Collab\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\EUPM6R87\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Flash Player\AssetCache\TRFRW6GU\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\CRAB-DECRYPT.txt
  • %SystemDrive%\MSOCache\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Crypto\RSA\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\CRAB-DECRYPT.txt
  • %SystemDrive%\System Volume Information\Chkdsk\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Acrobat\9.0\Forms\CRAB-DECRYPT.txt
  • %UserProfile%\Saved Games\CRAB-DECRYPT.txt
  • %AppData%\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\shadowAlpha[1].png
  • %AppData%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\typography.min[1].css
  • %AppData%\Adobe\CRAB-DECRYPT.txt
  • %LocalAppData%\Temp\~DF3DE6857420342E9D.TMP
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\btn_donateCC_LG[1].gif
  • %AppData%\Adobe\Acrobat\9.0\JavaScripts\CRAB-DECRYPT.txt
  • %UserProfile%\Searches\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\CRAB-DECRYPT.txt
  • %UserProfile%\Favorites\Microsoft Websites\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.accordion.min[1].js
  • %SystemDrive%\Documents and Settings\CRAB-DECRYPT.txt
  • %SystemDrive%\System Volume Information\SPP\SppGroupCache\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\My Videos\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\master.min[1].css
  • %UserProfile%\Start Menu\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\minidumps\CRAB-DECRYPT.txt
  • %LocalAppData%\History\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\reset.min[1].css
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\warning[1].png
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.ba-bbq.min[1].js
  • %AppData%\Microsoft\MSDN\8.0\CRAB-DECRYPT.txt
  • %UserProfile%\Favorites\MSN Websites\CRAB-DECRYPT.txt
  • %UserProfile%\NetHood\CRAB-DECRYPT.txt
  • %SystemDrive%\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Stationery\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Flash Player\AssetCache\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\OneNote\14.0\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Publisher Building Blocks\CRAB-DECRYPT.txt
  • %SystemDrive%\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
  • %System32%\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer
  • %UserProfile%\Desktop\CRAB-DECRYPT.txt
  • \??\Volume{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}\System Volume Information\tracking.log.tmp
  • %UserProfile%\Templates\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\My Pictures\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\CRAB-DECRYPT.txt
  • %System32%\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services
  • %AppData%\Macromedia\Flash Player\#SharedObjects\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Outlook\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\cta-buttons[1].jpg
  • %AppData%\Macromedia\Flash Player\#SharedObjects\YXTRFETG\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Crypto\CRAB-DECRYPT.txt
  • %AppData%\Macromedia\CRAB-DECRYPT.txt
  • %UserProfile%\PrintHood\CRAB-DECRYPT.txt
  • %System32%\Microsoft\Protect\S-1-5-18\User\61c31507-0d97-4080-aca3-fd44f12c8dbd
  • %AppData%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Protect\CRAB-DECRYPT.txt
  • %SystemDrive%\System Volume Information\SPP\OnlineMetadataCache\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\layout.min[1].css
  • %AppData%\Microsoft\SystemCertificates\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Firefox\Profiles\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\dlpage01[1].js
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico
  • %AppData%\Microsoft\Publisher\CRAB-DECRYPT.txt
  • %ProgramFiles% (x86)\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\M2V73K19\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Acrobat\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\EXUAAUDV\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\OneNote Notebooks\Personal\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico
  • %SystemDrive%\PerfLogs\Admin\CRAB-DECRYPT.txt
  • %SystemDrive%\PerfLogs\CRAB-DECRYPT.txt
  • %UserProfile%\Recorded TV\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\Outlook Files\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Acrobat\9.0\CRAB-DECRYPT.txt
  • %SystemDrive%\CRAB-DECRYPT.txt
  • %ProgramFiles% (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\CRAB-DECRYPT.txt
  • \??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
  • %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Document Building Blocks\1033\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\Managed\CRAB-DECRYPT.txt
  • %UserProfile%\Favorites\Links\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\bookmarkbackups\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Office\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\MMC\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\MA3SBLRS\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Credentials\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\headerbg[1].jpg
  • %ProgramFiles%\CRAB-DECRYPT.txt
  • %AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\CRAB-DECRYPT.txt
  • %ProgramFiles% (x86)\Microsoft SQL Server Compact Edition\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Document Building Blocks\1033\14\CRAB-DECRYPT.txt
  • %SystemDrive%\System Volume Information\SPP\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Internet Explorer\Recovery\High\Active\{50743783-67B4-11E8-8419-00501E3AE7B5}.dat
  • %UserProfile%\Contacts\CRAB-DECRYPT.txt
  • %UserProfile%\Links\CRAB-DECRYPT.txt
  • %LocalAppData%\CRAB-DECRYPT.txt
  • %UserProfile%\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\UserData\8HDD5GFC\CRAB-DECRYPT.txt
  • %LocalAppData%\Temp\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Flash Player\NativeCache\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Excel\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\OneNote\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\X3FXG4H3.htm
  • %AppData%\Microsoft\Signatures\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\SystemCertificates\My\Certificates\CRAB-DECRYPT.txt
  • %AppData%\Macromedia\Flash Player\CRAB-DECRYPT.txt
  • %UserProfile%\Downloads\CRAB-DECRYPT.txt
  • %SystemDrive%\Recovery\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].png
  • %LocalAppData%\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{50743781-67B4-11E8-8419-00501E3AE7B5}.dat
  • %UserProfile%\Music\Sample Music\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\HTML Help\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\InfoPath\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Firefox\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\User\CRAB-DECRYPT.txt
  • %UserProfile%\Favorites\Windows Live\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.client.min[1].js
  • %SystemDrive%\$Recycle.Bin\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.min[1].js
  • %LocalAppData%\Temp\~DF06C80491114E3378.TMP
  • %AppData%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\CRAB-DECRYPT.txt
  • %UserProfile%\Pictures\Sample Pictures\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\LiveContent\CRAB-DECRYPT.txt
  • %SystemDrive%\System Volume Information\SPP\SppCbsHiveStore\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Templates\SmartArt Graphics\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\SystemCertificates\My\CRLs\CRAB-DECRYPT.txt
  • %UserProfile%\Recent\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\UProof\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\CRAB-DECRYPT.txt
  • %UserProfile%\SendTo\CRAB-DECRYPT.txt
  • %UserProfile%\AppData\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\InternetDefenseLeague-footer-badge[1].png
  • %AppData%\Identities\{AD47C9A9-E417-4179-A4CD-95C51371116D}\CRAB-DECRYPT.txt
  • %UserProfile%\Videos\Sample Videos\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Flash Player\CRAB-DECRYPT.txt
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\~FontCache-S-1-5-18.dat
  • %SystemDrive%\System Volume Information\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\MSDN\CRAB-DECRYPT.txt
  • %AppData%\Adobe\Acrobat\9.0\Security\CRAB-DECRYPT.txt
  • %LocalAppData%\Microsoft\Internet Explorer\imagestore\aa4x2ky
  • %LocalAppData%\Temp\KnoC125.tmp
  • %AppData%\Microsoft\SystemCertificates\My\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Internet Explorer\CRAB-DECRYPT.txt
  • %UserProfile%\Favorites\Links for United States\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\PowerPoint\CRAB-DECRYPT.txt
  • %AppData%\Macromedia\Flash Player\macromedia.com\support\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\My Music\CRAB-DECRYPT.txt
  • %System32%\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
  • %SystemDrive%\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IEQZMGA.cvr.CRAB
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\tor-logo[1].png
  • %UserProfile%\Recorded TV\Sample Media\CRAB-DECRYPT.txt
  • %AppData%\Mozilla\Extensions\CRAB-DECRYPT.txt
  • %UserProfile%\Libraries\CRAB-DECRYPT.txt
  • %AppData%\Identities\CRAB-DECRYPT.txt
  • %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
  • %UserProfile%\Documents\OneNote Notebooks\Notes\CRAB-DECRYPT.txt

File Hashes

  • 250fca7ed1806645cf34937eeed0f95a377cc5402a32550c304528bff6d4d09b
  • a9dbaade69b8576f6ddac343129cd6e65825a42c5e8626f1c8ec8d1a68657f0e
  • ae0d1591385c573af2ad6b04816a7d6a30c87ccf40e8f02b3c76e66a4c8450e6
  • f3ec4b314acaff57824363c1d584d729cdcba86931c65b6a412d3203a4571afd
  • 15838f0c2b5035d12540b6f9570b7155a62728f44888739c77e29730cfe281e7
  • 7e6abbd10d276f8cc008b42ce57df3cf29c5d645c8fdcc237c85d10e255c2947
  • 044c4a806be94caa778c6658c268f3cbc1d522f13e8fc0d614177dbcd748d711
  • 91a9f37e7d10d6da919ee61e568644acb6f54f4bf962311fdb0cd9f361c4f91f
  • 638b75f6dfaa2b5fecfc212d776ab0b436e3879535d27cd85bfc5a5ce24db50c
  • 6d2bad6444af859bee7ecc062020dfbb2ae6d31bc9e4448200f43a08b9b1245f
  • e5cbd3986d56d6819dadf6ab64ee1c8dc62cb94aa10c335c25c4b699f3a26011
  • 875d7ebb0f9fb095fdd7eef74c62256b7c381f7b82e83f84d46c2c06644eda35
  • 30fd86096586372d7e08a35eb3da2a4671045f0103f805bc30fa8e1decbd39a9
  • 23a618ad2bed8afa8bfe36dcfd5db1de8affe72f4c1819950489a898df068be9
  • cc61f95be51b77ab039b998e5b5dd07ceccb5b5b5a546d76ab1e5e10d24581c8
  • 43978cffbc50878a1407b3df697ca601d02d866c142185787eb00ddd0e0336e5
  • 13b7b1200c9db70c2c85e8155bcb5659036e7854bbcb21586bc96dd26ddc3e34
  • 602bf5202e26057183ef1dbda965d6917930f341b1f12f9e605f34b59ddc8b3a
  • 39bb04bb5e2cfaf0e09755b3d6af1fc25150f9061d36457eea1ec9ec8bfc0568
  • 4ca159d4df61692ea7212c6cea03dea463aa0b89e16fa4f7094a9dd1515e1058

 

カバレッジ

 

検出時のスクリーンショット

AMP

Threat Grid

本稿は 2018年7月15日に Talos Grouppopup_icon のブログに投稿された「Threat Roundup for June 1-15popup_icon」の抄訳です。

Tags:
コメントを書く