Ransom.Win32.SODINOKIBI.SMTH
プラットフォーム:
Windows
危険度:
ダメージ度:
感染力:
感染確認数:
情報漏えい:
マルウェアタイプ:
身代金要求型不正プログラム(ランサムウェア)
破壊活動の有無:
なし
暗号化:
感染報告の有無 :
はい
概要
感染経路 インターネットからのダウンロード, 他のマルウェアからの作成
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
身代金要求文書のファイルを作成します。 以下のファイル拡張子を持つファイルは暗号化しません。
詳細
ファイルサイズ 118,272 bytes
タイプ DLL
メモリ常駐 なし
発見日 2020年6月10日
ペイロード URLまたはIPアドレスに接続, 画像の表示, ファイルのダウンロード, システムのレジストリの変更, 情報収集, ファイルの暗号化
侵入方法
マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。
インストール
マルウェアは、以下のプロセスを追加します。
- powershell.exe -e {base-64 encoded command} → used to delete shadow copies
他のシステム変更
マルウェアは、以下のレジストリ値を追加します。
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
Ybr = "{hex values}"
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
S6yP = "{hex values}"
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
dA2U3 = "{hex values}"
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
8eN335 = "{hex values}"
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
zEhXReE = ".{random characters}"
HKEY_LOCAL_MACHINE\Software\Facebook_Assistant
fOvNL4TU = "{hex values}"
プロセスの終了
マルウェアは、感染コンピュータ上で確認した以下のサービスを終了します。
- mepocs
- vss
- memtas
- sql
- veeam
- sophos
- backup
- svc$
マルウェアは、感染コンピュータ上で以下のプロセスが常駐されていることを確認した場合、そのプロセスを終了します。
- winword
- ocssd
- sql
- encsvc
- oracle
- outlook
- thebat
- tbirdconfig
- powerpnt
- onenote
- dbeng50
- dbsnmp
- ocomm
- xfssvccon
- mspub
- msaccess
- infopath
- visio
- steam
- isqlplussvc
- wordpad
- agntsvc
- excel
- synctime
- mydesktopservice
- ocautoupds
- mydesktopqos
- thunderbird
- firefox
- sqbcoreservice
情報漏えい
マルウェアは、以下の情報を収集します。
- User Name
- Computer Name
- Workgroup
- Systems Architecture
- Operating System
- Processor Information
情報収集
マルウェアは、HTTPポスト を介して、収集した情報を以下のURLに送信します。
- https://{domain}/{string1}/{string2}/{random characters}.{string3} where the order is as follows:
- {domain}:
- {BLOCKED}erkschaften.de
- {BLOCKED}.com.ar
- {BLOCKED}ko.online
- {BLOCKED}o.pl
- {BLOCKED}mann.de
- {BLOCKED}onclients.fr
- {BLOCKED}.com
- {BLOCKED}alizer.com
- {BLOCKED}ee.com
- {BLOCKED}ministries.com
- {BLOCKED}.net
- {BLOCKED}rds.net
- {BLOCKED}ork
- {BLOCKED}g-bua.online
- {BLOCKED}om
- {BLOCKED}luesky.com
- {BLOCKED}massage.com
- {BLOCKED}om.pl
- {BLOCKED}rg.uk
- {BLOCKED}akia.sk
- {BLOCKED}etra.es
- {BLOCKED}.fr
- {BLOCKED}co.uk
- {BLOCKED}dywan24.pl
- {BLOCKED}per.gives
- {BLOCKED}i
- {BLOCKED}.com
- {BLOCKED}.at
- {BLOCKED}kk.com
- {BLOCKED}omation.de
- {BLOCKED}utindo.com
- {BLOCKED}r.com
- {BLOCKED}rg.gt
- {BLOCKED}.de
- {BLOCKED}elabs.com
- {BLOCKED}spromo.com
- {BLOCKED}ebroca.com
- {BLOCKED}service.com
- {BLOCKED}-und-kunst.de
- {BLOCKED}k-llc.com
- {BLOCKED}om
- {BLOCKED}vercentre.co.uk
- {BLOCKED}on.com
- {BLOCKED}unnel.com
- {BLOCKED}com
- {BLOCKED}ueger.de
- {BLOCKED}com
- {BLOCKED}or.com
- {BLOCKED}gregal.org
- {BLOCKED}
- {BLOCKED}cher.de
- {BLOCKED}ssedbykeepingitreal.com
- {BLOCKED}elanatoliquido.online
- {BLOCKED}ge.com
- {BLOCKED}on.com
- {BLOCKED}acks.com
- {BLOCKED}sk
- {BLOCKED}each.com
- {BLOCKED}lari.fi
- {BLOCKED}a.wordpress.com
- {BLOCKED}.de
- {BLOCKED}om
- {BLOCKED}rputssollentuna-39b.se
- {BLOCKED}casinosuk.co.uk
- {BLOCKED}com
- {BLOCKED}leman.nl
- {BLOCKED}fica.es
- {BLOCKED}ron.com
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}ge.com.au
- {BLOCKED}
- {BLOCKED}ie.com
- {BLOCKED}tine.ro
- {BLOCKED}com
- {BLOCKED}entservices.com
- {BLOCKED}emy-iraq.org
- {BLOCKED}rung-lu.de
- {BLOCKED}
- {BLOCKED}-unterricht.com
- {BLOCKED}
- {BLOCKED}agement.com
- {BLOCKED}arna.se
- {BLOCKED}om
- {BLOCKED}rs.wordpress.com
- {BLOCKED}umen.de
- {BLOCKED}
- {BLOCKED}en.dk
- {BLOCKED}se
- {BLOCKED}.gov.uk
- {BLOCKED}nter.es
- {BLOCKED}fe.com
- {BLOCKED}
- {BLOCKED}ssmimi.com
- {BLOCKED}efordshire-pc.gov.uk
- {BLOCKED}rttransfers.net
- {BLOCKED}nhancementcenter.com
- {BLOCKED}e
- {BLOCKED}an.se
- {BLOCKED}iamsburg.com
- {BLOCKED}h.ru
- {BLOCKED}nanku.com
- {BLOCKED}comdotcom.wordpress.com
- {BLOCKED}
- {BLOCKED}n.co.uk
- {BLOCKED}er.de
- {BLOCKED}.co.uk
- {BLOCKED}ithlena.wordpress.com
- {BLOCKED}
- {BLOCKED}astrategies.com
- {BLOCKED}bollnas.se
- {BLOCKED}
- {BLOCKED}pe
- {BLOCKED}m
- {BLOCKED}ds18.de
- {BLOCKED}urbuero-wagner.net
- {BLOCKED}oldezonnewijzer.nl
- {BLOCKED}e.org
- {BLOCKED}erry.com
- {BLOCKED}.pl
- {BLOCKED}
- {BLOCKED}t.info.vn
- {BLOCKED}.guru
- {BLOCKED}tballacademy.com
- {BLOCKED}ureedge.com
- {BLOCKED}m
- {BLOCKED}e.fr
- {BLOCKED}ic.es
- {BLOCKED}tudios.com
- {BLOCKED}k
- {BLOCKED}24.de
- {BLOCKED}eriglioracing.com
- {BLOCKED}alth.live
- {BLOCKED}lthsystem.org
- {BLOCKED}t
- {BLOCKED}radio1.site
- {BLOCKED}
- {BLOCKED}tiveclassroom.org
- {BLOCKED}uralfiberglass.org
- {BLOCKED}ediacompanies.com
- {BLOCKED}te
- {BLOCKED}da.com
- {BLOCKED}.com
- {BLOCKED}ch.co.uk
- {BLOCKED}com
- {BLOCKED}set.dk
- {BLOCKED}
- {BLOCKED}ch.me
- {BLOCKED}ions.com
- {BLOCKED}.com
- {BLOCKED}pizzeria.de
- {BLOCKED}oesportivapolitg.cat
- {BLOCKED}
- {BLOCKED}novations.com
- {BLOCKED}veira.com
- {BLOCKED}aquettes.com
- {BLOCKED}rprises.com
- {BLOCKED}gartstudio.gallery
- {BLOCKED}at
- {BLOCKED}ayssinet.fr
- {BLOCKED}llbeing.org.uk
- {BLOCKED}ody.com
- {BLOCKED}ngarden.com
- {BLOCKED}.com
- {BLOCKED}he.com
- {BLOCKED}papershow.com
- {BLOCKED}capital.de
- {BLOCKED}t
- {BLOCKED}ctc-13a1357egba.com
- {BLOCKED}.com
- {BLOCKED}erderdiagnostik.de
- {BLOCKED}euli.com
- {BLOCKED}.com
- {BLOCKED}g
- {BLOCKED}ds.it
- {BLOCKED}com
- {BLOCKED}o.th
- {BLOCKED}salextrespaille.fr
- {BLOCKED}l
- {BLOCKED}ibution.co.uk
- {BLOCKED}ine.com
- {BLOCKED}nsulting.at
- {BLOCKED}com
- {BLOCKED}iration.com
- {BLOCKED}com
- {BLOCKED}ees.com
- {BLOCKED}ng.co.uk
- {BLOCKED}s.com
- {BLOCKED}era.de
- {BLOCKED}
- {BLOCKED}olega.com
- {BLOCKED}o.nl
- {BLOCKED}lth.com
- {BLOCKED}g.nl
- {BLOCKED}der.com
- {BLOCKED}nt.com
- {BLOCKED}et
- {BLOCKED}orssi.fi
- {BLOCKED}de
- {BLOCKED}dichter.nl
- {BLOCKED}.com
- {BLOCKED}eyeclinic.com.au
- {BLOCKED}ace.com
- {BLOCKED}iebsforschung.de
- {BLOCKED}m.ar
- {BLOCKED}o
- {BLOCKED}ds.nl
- {BLOCKED}doptimaldentalcare.com
- {BLOCKED}lga.net
- {BLOCKED}r.com
- {BLOCKED}.com
- {BLOCKED}xi.sk
- {BLOCKED}s.com.ar
- {BLOCKED}halle.de
- {BLOCKED}iciens.nl
- {BLOCKED}.dk
- {BLOCKED}esolutionsstrategies.com
- {BLOCKED}ingcoffee.com
- {BLOCKED}ru
- {BLOCKED}ud.com
- {BLOCKED}yond50.com
- {BLOCKED}domicilio.es
- {BLOCKED}.com
- {BLOCKED}us.de
- {BLOCKED}edahr.com
- {BLOCKED}l.nl
- {BLOCKED}atives.nl
- {BLOCKED}sa.net
- {BLOCKED}orecard.com
- {BLOCKED}anet.fi
- {BLOCKED}r
- {BLOCKED}voyage.net
- {BLOCKED}eruchomoscipremium.com
- {BLOCKED}vesta.se
- {BLOCKED}source.org
- {BLOCKED}ery.com
- {BLOCKED}gbyjessica.com
- {BLOCKED}.org
- {BLOCKED}actadenacimiento.com
- {BLOCKED}dung.com
- {BLOCKED}nda.com
- {BLOCKED}coworking.com
- {BLOCKED}laudit.com
- {BLOCKED}nteria.com
- {BLOCKED}aw.com
- {BLOCKED}com
- {BLOCKED}m
- {BLOCKED}r
- {BLOCKED}ira.com
- {BLOCKED}
- {BLOCKED}tpub.com
- {BLOCKED}com.wordpress.com
- {BLOCKED}.com
- {BLOCKED}toutdoors.net
- {BLOCKED}ay.com
- {BLOCKED}om.fr
- {BLOCKED}tfair.com
- {BLOCKED}gen.de
- {BLOCKED}e-kieber.de
- {BLOCKED}her-apkz.com
- {BLOCKED}l.biz
- {BLOCKED}rheaterinstallation.com
- {BLOCKED}m
- {BLOCKED}u.nl
- {BLOCKED}valdelsa.com
- {BLOCKED}com
- {BLOCKED}p
- {BLOCKED}rsystem.dk
- {BLOCKED}ircular.org
- {BLOCKED}terescorts.co.uk
- {BLOCKED}ercut.com
- {BLOCKED}.com
- {BLOCKED}eguidores.com
- {BLOCKED}org
- {BLOCKED}lie-nim.nl
- {BLOCKED}om
- {BLOCKED}m.au
- {BLOCKED}ink.com
- {BLOCKED}w.com
- {BLOCKED}padova.it
- {BLOCKED}arnosand.se
- {BLOCKED}
- {BLOCKED}asts.com
- {BLOCKED}.info
- {BLOCKED}01.com
- {BLOCKED}nter.de
- {BLOCKED}lina.bytom.pl
- {BLOCKED}gout.com
- {BLOCKED}m
- {BLOCKED}tainsltd.co.uk
- {BLOCKED}age.dk
- {BLOCKED}eezedancetheater.org
- {BLOCKED}efon.hr
- {BLOCKED}carpetandfloors.com
- {BLOCKED}.wordpress.com
- {BLOCKED}
- {BLOCKED}spa.fi
- {BLOCKED}ndles.com
- {BLOCKED}sennus.fi
- {BLOCKED}er.de
- {BLOCKED}.net
- {BLOCKED}se.com
- {BLOCKED}
- {BLOCKED}c.com
- {BLOCKED}
- {BLOCKED}iris.com
- {BLOCKED}.de
- {BLOCKED}l
- {BLOCKED}ysecrets.com.au
- {BLOCKED}ineryauctions.com
- {BLOCKED}s.net
- {BLOCKED}y.in
- {BLOCKED}stingly.ru
- {BLOCKED}nology
- {BLOCKED}ter-sachsen.de
- {BLOCKED}fr
- {BLOCKED}ar.com
- {BLOCKED}horros.com
- {BLOCKED}abinets.ca
- {BLOCKED}pherd.co.uk
- {BLOCKED}ergeggi.it
- {BLOCKED}u.com
- {BLOCKED}yimages.com
- {BLOCKED}herbal.com
- {BLOCKED}dpalais.com
- {BLOCKED}ine.com.ua
- {BLOCKED}n
- {BLOCKED}ine.com
- {BLOCKED}m
- {BLOCKED}r.at
- {BLOCKED}de
- {BLOCKED}hiscall.com
- {BLOCKED}
- {BLOCKED}bernacle.com
- {BLOCKED}.de
- {BLOCKED}yu.fund
- {BLOCKED}.eu
- {BLOCKED}ceheard.com
- {BLOCKED}
- {BLOCKED}et
- {BLOCKED}ucer.com
- {BLOCKED}.com
- {BLOCKED}.nl
- {BLOCKED}
- {BLOCKED}e-webcams.com
- {BLOCKED}com
- {BLOCKED}onal-sound-awards.com
- {BLOCKED}bariatrics.com
- {BLOCKED}zone.com
- {BLOCKED}lt-muenchen-west.de
- {BLOCKED}ialisten.se
- {BLOCKED}ihou.com
- {BLOCKED}eusa.com
- {BLOCKED}rmond.nl
- {BLOCKED}com
- {BLOCKED}idel.com
- {BLOCKED}.info
- {BLOCKED}ng.nl
- {BLOCKED}london
- {BLOCKED}com
- {BLOCKED}rs-in-europe.com
- {BLOCKED}riving.com
- {BLOCKED}.com
- {BLOCKED}sa.com
- {BLOCKED}.com
- {BLOCKED}om
- {BLOCKED}leman.nl
- {BLOCKED}com
- {BLOCKED}obayl.ru
- {BLOCKED}eim.de
- {BLOCKED}id-u.com
- {BLOCKED}n
- {BLOCKED}ino.com
- {BLOCKED}esult.no
- {BLOCKED}.com
- {BLOCKED}par.se
- {BLOCKED}
- {BLOCKED}hepepper.com
- {BLOCKED}construction.com
- {BLOCKED}dsgroup.com
- {BLOCKED}bakkramen.nl
- {BLOCKED}m
- {BLOCKED}alsky.com
- {BLOCKED}t.com
- {BLOCKED}
- {BLOCKED}ifiori.com
- {BLOCKED}om
- {BLOCKED}n-trader.com
- {BLOCKED}m.com
- {BLOCKED}farrobo.com
- {BLOCKED}y72.com
- {BLOCKED}healthbenefits.com
- {BLOCKED}l.com
- {BLOCKED}com
- {BLOCKED}hengineering.com
- {BLOCKED}ssional.ru
- {BLOCKED}h.com.br
- {BLOCKED}ica.com
- {BLOCKED}usicfest.com
- {BLOCKED}f-lave-linge.fr
- {BLOCKED}r.aberdeen.sch.uk
- {BLOCKED}pers.trade
- {BLOCKED}.de
- {BLOCKED}.au
- {BLOCKED}asphaltfieber.de
- {BLOCKED}rnberg.de
- {BLOCKED}rvluchtnewyork.nl
- {BLOCKED}st.de
- {BLOCKED}pskernnoordwijk.nl
- {BLOCKED}airllc.com
- {BLOCKED}tagenijmegen.nl
- {BLOCKED}undation.net
- {BLOCKED}com
- {BLOCKED}roup
- {BLOCKED}es.nl
- {BLOCKED}idential.com
- {BLOCKED}inh.com
- {BLOCKED}dbrgrs.com
- {BLOCKED}od.com
- {BLOCKED}epro.com.au
- {BLOCKED}ery.com
- {BLOCKED}e
- {BLOCKED}com
- {BLOCKED}nd.org
- {BLOCKED}ferencement-naturel-geneve.net
- {BLOCKED}urch.org
- {BLOCKED}co.uk
- {BLOCKED}in-tambach.de
- {BLOCKED}actory.co.jp
- {BLOCKED}ng.com.au
- {BLOCKED}om
- {BLOCKED}rg
- {BLOCKED}.com
- {BLOCKED}.org.uk
- {BLOCKED}-peloton.com
- {BLOCKED}-print.ca
- {BLOCKED}nvironmental.com
- {BLOCKED}t
- {BLOCKED}lution.com
- {BLOCKED}.com
- {BLOCKED}ate.com
- {BLOCKED}lovers.com
- {BLOCKED}ces.de
- {BLOCKED}rsolution.com
- {BLOCKED}kunciakrilikbandung.com
- {BLOCKED}dios.com
- {BLOCKED}ee.ca
- {BLOCKED}ore.net
- {BLOCKED}
- {BLOCKED}es.com
- {BLOCKED}
- {BLOCKED}uro.com
- {BLOCKED}.com
- {BLOCKED}vn
- {BLOCKED}n.com
- {BLOCKED}.com
- {BLOCKED}riiuniri.ro
- {BLOCKED}k
- {BLOCKED}sicologia.es
- {BLOCKED}nl
- {BLOCKED}
- {BLOCKED}m
- {BLOCKED}-info.nl
- {BLOCKED}media.com
- {BLOCKED}.se
- {BLOCKED}
- {BLOCKED}oves.com
- {BLOCKED}
- {BLOCKED}d.pl
- {BLOCKED}l.com
- {BLOCKED}web.com
- {BLOCKED}eich27.de
- {BLOCKED}.com
- {BLOCKED}nitario.biz
- {BLOCKED}bauer.at
- {BLOCKED}.dk
- {BLOCKED}e-roses.com
- {BLOCKED}pper.com
- {BLOCKED}sdombes.com
- {BLOCKED}soweb.com
- {BLOCKED}delderlaw.com
- {BLOCKED}lender.com
- {BLOCKED}waves.co.uk
- {BLOCKED}ru
- {BLOCKED}m.net
- {BLOCKED}eprzedszkolne.pl
- {BLOCKED}esycementoshidalgo.es
- {BLOCKED}s.com
- {BLOCKED}pids.com
- {BLOCKED}.com.ar
- {BLOCKED}.de
- {BLOCKED}net.com
- {BLOCKED}dwieweiter.de
- {BLOCKED}tstaefa.ch
- {BLOCKED}consulting.ch
- {BLOCKED}
- {BLOCKED}direkt.de
- {BLOCKED}id.com.au
- {BLOCKED}e.com
- {BLOCKED}rvizbudapest.hu
- {BLOCKED}m
- {BLOCKED}htdc.com
- {BLOCKED}om.wordpress.com
- {BLOCKED}
- {BLOCKED}a.com
- {BLOCKED}emulhouse.fr
- {BLOCKED}e.com
- {BLOCKED}ger.com
- {BLOCKED}eera.com
- {BLOCKED}toimport.nl
- {BLOCKED}m.de
- {BLOCKED}m
- {BLOCKED}om
- {BLOCKED}.com
- {BLOCKED}der.info
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}gsrbija.rs
- {BLOCKED}he-gera.de
- {BLOCKED}d.com
- {BLOCKED}eightservices.com.au
- {BLOCKED}ne.com
- {BLOCKED}d.hk
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}te-experts.com
- {BLOCKED}ching.fr
- {BLOCKED}yman.com
- {BLOCKED}ysalud.com
- {BLOCKED}com
- {BLOCKED}com
- {BLOCKED}rie.com
- {BLOCKED}onstruct.be
- {BLOCKED}n-hotte.de
- {BLOCKED}ition.com
- {BLOCKED}et.fun
- {BLOCKED}iptv.com
- {BLOCKED}all.org
- {BLOCKED}i.com
- {BLOCKED}ochen.de
- {BLOCKED}beauties.org
- {BLOCKED}nk.de
- {BLOCKED}
- {BLOCKED}allations.co.uk
- {BLOCKED}o.com
- {BLOCKED}list.com.au
- {BLOCKED}rtners.nl
- {BLOCKED}ls.com
- {BLOCKED}die-leverkusen-kwb.de
- {BLOCKED}kid.com.ua
- {BLOCKED}h
- {BLOCKED}nn.com
- {BLOCKED}thermen-resort.com
- {BLOCKED}om
- {BLOCKED}o.fi
- {BLOCKED}mulas.com
- {BLOCKED}mba.nl
- {BLOCKED}.de
- {BLOCKED}erieel.nl
- {BLOCKED}ermann-architektur-und-planung.ch!<--BLOCKED daniel-akermann-architektur-und-planung.ch-->
- {BLOCKED}lease.com
- {BLOCKED}m
- {BLOCKED}ebrsen-vergleich-nec.com
- {BLOCKED}india.com
- {BLOCKED}oles.com
- {BLOCKED}store.com
- {BLOCKED}ndboulevards.com
- {BLOCKED}e
- {BLOCKED}.net
- {BLOCKED}wisdom.com
- {BLOCKED}ss.com
- {BLOCKED}.com
- {BLOCKED}ngmachines.com
- {BLOCKED}orkout.com
- {BLOCKED}k.com
- {BLOCKED}awilltravel2017.wordpress.com
- {BLOCKED}
- {BLOCKED}chine.com
- {BLOCKED}org
- {BLOCKED}scher-berechnen.de
- {BLOCKED}ard.com
- {BLOCKED}tauto.net
- {BLOCKED}t-pua.biz
- {BLOCKED}k-test.net
- {BLOCKED}d.info
- {BLOCKED}house.net
- {BLOCKED}ppliances.com
- {BLOCKED}sent.se
- {BLOCKED}ique.net
- {BLOCKED}nero.com
- {BLOCKED}.sg
- {BLOCKED}services.nl
- {BLOCKED}enter.org
- {BLOCKED}hermnl.com
- {BLOCKED}artz.wordpress.com
- {BLOCKED}g
- {BLOCKED}bution.nl
- {BLOCKED}edogrescue.dog
- {BLOCKED}
- {BLOCKED}echina.info
- {BLOCKED}bos.com
- {BLOCKED}nts.com
- {BLOCKED}rg
- {BLOCKED}ernacademyofprosthodontics.org
- {BLOCKED}.nl
- {BLOCKED}de
- {BLOCKED}compte-rouen.fr
- {BLOCKED}erotechnik.at
- {BLOCKED}as.com
- {BLOCKED}sibomana.com
- {BLOCKED}ideamill.wordpress.com
- {BLOCKED}com
- {BLOCKED}eliere.de
- {BLOCKED}m
- {BLOCKED}e
- {BLOCKED}ter.com
- {BLOCKED}int.no
- {BLOCKED}income.com
- {BLOCKED}m
- {BLOCKED}fr
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}de
- {BLOCKED}y.construction
- {BLOCKED}cor.ru
- {BLOCKED}.ch
- {BLOCKED}tomz.com
- {BLOCKED}on.com
- {BLOCKED}d.com
- {BLOCKED}anko.com
- {BLOCKED}m
- {BLOCKED}bevel.com
- {BLOCKED}y.com
- {BLOCKED}.com
- {BLOCKED}cpc.com
- {BLOCKED}
- {BLOCKED}eldingllc.com
- {BLOCKED}ademy.org
- {BLOCKED}gsadvokaterne.dk
- {BLOCKED}s.com
- {BLOCKED}o
- {BLOCKED}publica.es
- {BLOCKED}ly.eu
- {BLOCKED}rg
- {BLOCKED}com
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}ius.com
- {BLOCKED}ntineacademy.com
- {BLOCKED}.com
- {BLOCKED}ochi.ru
- {BLOCKED}ctive.com
- {BLOCKED}iss.ch
- {BLOCKED}s
- {BLOCKED}creteil.com
- {BLOCKED}erimages.org
- {BLOCKED}tionsarchitect.guru
- {BLOCKED}uctkey.com
- {BLOCKED}ser.de
- {BLOCKED}wn
- {BLOCKED}pl
- {BLOCKED}chen.com
- {BLOCKED}onanalytics.com
- {BLOCKED}nto.com
- {BLOCKED}ader.de
- {BLOCKED}co.uk
- {BLOCKED}e.de
- {BLOCKED}idgeadvisors.com
- {BLOCKED}h
- {BLOCKED}om
- {BLOCKED}anet.info
- {BLOCKED}
- {BLOCKED}gia.ee
- {BLOCKED}.net
- {BLOCKED}ique247.com
- {BLOCKED}ropaneaz.com
- {BLOCKED}ngberdaya.com
- {BLOCKED}g
- {BLOCKED}m
- {BLOCKED}mmer.com
- {BLOCKED}.dk
- {BLOCKED}.com.vn
- {BLOCKED}om
- {BLOCKED}nslenders.com
- {BLOCKED}chting.com
- {BLOCKED}itid.dk
- {BLOCKED}management.com
- {BLOCKED}de
- {BLOCKED}fue.it
- {BLOCKED}
- {BLOCKED}ah.com
- {BLOCKED}senjoon.wordpress.com
- {BLOCKED}com
- {BLOCKED}eat.fi
- {BLOCKED}n.com
- {BLOCKED}brand.com
- {BLOCKED}tists.com
- {BLOCKED}rebuffetcourses.com
- {BLOCKED}er.com
- {BLOCKED}atyr.ru
- {BLOCKED}d.com
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}clothingcompany.com
- {BLOCKED}a.fr
- {BLOCKED}ervicescourses.com
- {BLOCKED}
- {BLOCKED}om
- {BLOCKED}amo.fi
- {BLOCKED}ts.com
- {BLOCKED}com
- {BLOCKED}md.org
- {BLOCKED}ut.com
- {BLOCKED}rstcommittee.org
- {BLOCKED}inds.wordpress.com
- {BLOCKED}sher.com
- {BLOCKED}om
- {BLOCKED}ision.co.uk
- {BLOCKED}cat
- {BLOCKED}net
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}lsafoundation.org
- {BLOCKED}com
- {BLOCKED}el63.ru
- {BLOCKED}ch
- {BLOCKED}
- {BLOCKED}jp
- {BLOCKED}nagement-plus.de
- {BLOCKED}com
- {BLOCKED}rpaolo.com
- {BLOCKED}gstudio.com
- {BLOCKED}reetrimming.com
- {BLOCKED}com
- {BLOCKED}nturin.fr
- {BLOCKED}deboer.de
- {BLOCKED}ng.co.uk
- {BLOCKED}oso.de
- {BLOCKED}nciliegie.it
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}oundation.org
- {BLOCKED}ertorico.com
- {BLOCKED}k
- {BLOCKED}et
- {BLOCKED}acommittee.us
- {BLOCKED}loveofyou.com
- {BLOCKED}m
- {BLOCKED}net.au
- {BLOCKED}oup.com
- {BLOCKED}.org
- {BLOCKED}ails.com
- {BLOCKED}com
- {BLOCKED}tory.com
- {BLOCKED}.nl
- {BLOCKED}p.com.au
- {BLOCKED}y.com
- {BLOCKED}kt.com
- {BLOCKED}thomegoods.com
- {BLOCKED}rylawfirm.com
- {BLOCKED}edia.org
- {BLOCKED}st.ru
- {BLOCKED}gement.de
- {BLOCKED}eystudio.com
- {BLOCKED}media.es
- {BLOCKED}om.ng
- {BLOCKED}om
- {BLOCKED}studio.com
- {BLOCKED}.online
- {BLOCKED}.com
- {BLOCKED}ds.com
- {BLOCKED}lerministries.com
- {BLOCKED}inithome.wordpress.com
- {BLOCKED}es.com
- {BLOCKED}k.com
- {BLOCKED}euca.org.au
- {BLOCKED}g
- {BLOCKED}rheet.fi
- {BLOCKED}ancario.net
- {BLOCKED}lus.org
- {BLOCKED}net
- {BLOCKED}me.org
- {BLOCKED}re.com
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}ices.co.uk
- {BLOCKED}oymentlawyerblog.com
- {BLOCKED}gutachterpraxis.de
- {BLOCKED}deenreich.de
- {BLOCKED}snow.site
- {BLOCKED}-life.jp
- {BLOCKED}fe-wuppertal.de
- {BLOCKED}ornes.es
- {BLOCKED}ylor.com
- {BLOCKED}einfonds.at
- {BLOCKED}tuitosnainternet.com
- {BLOCKED}portfondsen.nl
- {BLOCKED}m.au
- {BLOCKED}.lt
- {BLOCKED}sfestival.co.uk
- {BLOCKED}er.com
- {BLOCKED}cademy.com
- {BLOCKED}ndgrillorlando.com
- {BLOCKED}
- {BLOCKED}c.fr
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}ev.com
- {BLOCKED}optinyhomes.com
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}emdesign.com
- {BLOCKED}r.com
- {BLOCKED}.com
- {BLOCKED}fun.net
- {BLOCKED}ach-realestate.com
- {BLOCKED}rg
- {BLOCKED}.company
- {BLOCKED}cywijchen.nl
- {BLOCKED}om
- {BLOCKED}states.org
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}visorsolutions.com
- {BLOCKED}essels.com
- {BLOCKED}ctrical.co.za
- {BLOCKED}scoutgroup.org
- {BLOCKED}k40.com
- {BLOCKED}mm.de
- {BLOCKED}te
- {BLOCKED}ing.net
- {BLOCKED}cktolife.com
- {BLOCKED}hi-allart.ch
- {BLOCKED}na.org
- {BLOCKED}dk
- {BLOCKED}cefabbro.com
- {BLOCKED}
- {BLOCKED}maison.info
- {BLOCKED}lte.nl
- {BLOCKED}nl
- {BLOCKED}y.de
- {BLOCKED}ertest.net
- {BLOCKED}eu
- {BLOCKED}-wegleitner.at
- {BLOCKED}com
- {BLOCKED}gijon.es
- {BLOCKED}ketingstrategies.com
- {BLOCKED}ilmour.co.uk
- {BLOCKED}olic.com
- {BLOCKED}com
- {BLOCKED}lsHomes.com
- {BLOCKED}me.com
- {BLOCKED}m
- {BLOCKED}y-loans.com
- {BLOCKED}ai.co.th
- {BLOCKED}poudroux-photographie.fr
- {BLOCKED}und-stories.com
- {BLOCKED}adnj.com
- {BLOCKED}.com
- {BLOCKED}nl
- {BLOCKED}k.dk
- {BLOCKED}erler.com
- {BLOCKED}k.com
- {BLOCKED}uuv.de
- {BLOCKED}om
- {BLOCKED}ousesalonvt.com
- {BLOCKED}shop.de
- {BLOCKED}e.com
- {BLOCKED}e.co.at
- {BLOCKED}.de
- {BLOCKED}u-ziegler.de
- {BLOCKED}industry.fr
- {BLOCKED}ster.de
- {BLOCKED}thbasicinfo.com
- {BLOCKED}
- {BLOCKED}edentistry.com
- {BLOCKED}e
- {BLOCKED}.uk
- {BLOCKED}ch.com
- {BLOCKED}u.nl
- {BLOCKED}com
- {BLOCKED}gacharlotte.com
- {BLOCKED}r.com
- {BLOCKED}kc.com
- {BLOCKED}
- {BLOCKED}oidworkgroup.org
- {BLOCKED}.at
- {BLOCKED}milyfarmblog.wordpress.com
- {BLOCKED}-fishing.com
- {BLOCKED}nt.at
- {BLOCKED}rts.net
- {BLOCKED}.com
- {BLOCKED}.nl
- {BLOCKED}com
- {BLOCKED}fl.de
- {BLOCKED}-ratgeber.de
- {BLOCKED}.de
- {BLOCKED}ves.co
- {BLOCKED}ge.com
- {BLOCKED}a.cat
- {BLOCKED}ccidentetraficosevilla.es
- {BLOCKED}com
- {BLOCKED}nce.se
- {BLOCKED}-tla.fr
- {BLOCKED}tions.com
- {BLOCKED}.at
- {BLOCKED}v.se
- {BLOCKED}nsultancy.com
- {BLOCKED}lboatbuilding.com
- {BLOCKED}ela.com
- {BLOCKED}ruppe.de
- {BLOCKED}ge-entfernen.de
- {BLOCKED}.net
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}com
- {BLOCKED}de
- {BLOCKED}nl
- {BLOCKED}er.com
- {BLOCKED}digest.com
- {BLOCKED}museumbd.com
- {BLOCKED}.com
- {BLOCKED}net
- {BLOCKED}iz
- {BLOCKED}usrok.fi
- {BLOCKED}hreecharters.com
- {BLOCKED}spital.de
- {BLOCKED}us.com
- {BLOCKED}.com
- {BLOCKED}enn.com
- {BLOCKED}iculoma.info
- {BLOCKED}
- {BLOCKED}
- {BLOCKED}m
- {BLOCKED}e
- {BLOCKED}t
- {BLOCKED}reach.org
- {BLOCKED}urveys.com
- {BLOCKED}ai.it
- {BLOCKED}dvisit.com
- {BLOCKED}ds.info
- {BLOCKED}rnet.it
- {BLOCKED}.com
- {BLOCKED}ne-marke.de
- {BLOCKED}eddingkansas.com
- {BLOCKED}ordbuyrite.com
- {BLOCKED}en-alicante.es
- {BLOCKED}.fi
- {BLOCKED}nexpo.jp
- {BLOCKED}com
- {BLOCKED}ts.com
- {BLOCKED}stiger.de
- {BLOCKED}rs.ru
- {BLOCKED}dio.com
- {BLOCKED}kenya.com
- {BLOCKED}ur.online
- {BLOCKED}alhoerodrigues.com.br
- {BLOCKED}tten.site
- {BLOCKED}ei.info
- {BLOCKED}e.com
- {BLOCKED}soren.com
- {BLOCKED}chbachorg.wordpress.com
- {BLOCKED}rses.com
- {BLOCKED}ze-vergleich.de
- {BLOCKED}ecovery.com
- {BLOCKED}
- {BLOCKED}restview.com
- {BLOCKED}am
- {BLOCKED}st.de
- {BLOCKED}keting.com
- {BLOCKED}smetics.at
- {BLOCKED}enfold.com
- {BLOCKED}de
- {BLOCKED}er.com
- {BLOCKED}el.com
- {BLOCKED}sen.com
- {BLOCKED}.se
- {BLOCKED}raktijkhartjegroningen.nl
- {BLOCKED}chiet.nl
- {BLOCKED}r
- {BLOCKED}ral.at
- {BLOCKED}utrition.com
- {BLOCKED}com
- {BLOCKED}.tr
- {BLOCKED}rex.com
- {BLOCKED}u
- {BLOCKED}ho247.com
- {BLOCKED}.com.au
- {BLOCKED}ax.com
- {BLOCKED}om
- {BLOCKED}tings.co.uk
- {BLOCKED}ht.co.uk
- {BLOCKED}om
- {BLOCKED}
- {BLOCKED}wichmadrid.es
- {BLOCKED}upaysflechois.com
- {BLOCKED}tsmarketing.com
- {BLOCKED}design.de
- {BLOCKED}.rw
- {BLOCKED}o
- {BLOCKED}africa.com
- {BLOCKED}etkompas.nl
- {BLOCKED}stag.de
- {BLOCKED}pingdoonbeg.com
- {BLOCKED}obilien.de
- {BLOCKED}hstudio.com
- {BLOCKED}dr-sturm.at
- {BLOCKED}
- {BLOCKED}e
- {BLOCKED}others.de
- {BLOCKED}raezisionsteile.de
- {BLOCKED}orporatelaw.com
- {BLOCKED}outhasc.com
- {BLOCKED}
- {BLOCKED}reeiro.com
- {BLOCKED}or.org
- {BLOCKED}egels.nl
- {BLOCKED}
- {BLOCKED}assivewealth.com
- {BLOCKED}z.com
- {BLOCKED}.no
- {BLOCKED}m
- {BLOCKED}shows.com
- {BLOCKED}betten.nl
- {BLOCKED}any.com
- {BLOCKED}arriors.at
- {BLOCKED}lmedicinespecialists.com
- {BLOCKED}ctice.com
- {BLOCKED}demean.be
- {BLOCKED}sisters.org
- {BLOCKED}rohealthuk.com
- {BLOCKED}.com
- {BLOCKED}age.pl
- {BLOCKED}leplaces.com
- {BLOCKED}ngo.com
- {BLOCKED}rtising.com
- {BLOCKED}rts.co.nz
- {BLOCKED}mila.com
- {BLOCKED}tefellowship.church
- {BLOCKED}onanza.com
- {BLOCKED}atgo.com
- {BLOCKED}teexperience.com.au
- {BLOCKED}e
- {BLOCKED}redare.se
- {BLOCKED}com
- {BLOCKED}k.com
- {BLOCKED}um.com
- {BLOCKED}orce.net
- {BLOCKED}tes.eu
- {BLOCKED}om
- {BLOCKED}y.com
- {BLOCKED}lubedeportugal.com
- {BLOCKED}orkhelp.com
- {BLOCKED}rst.com
- {BLOCKED}thaiphong.net
- {BLOCKED}e-blomberg.de
- {BLOCKED}.org
- {BLOCKED}t
- {BLOCKED}etgateway.eu
- {BLOCKED}com
- {BLOCKED}ntific.com
- {BLOCKED}ocolat-noir.com
- {BLOCKED}o.jp
- {BLOCKED}sulweb.com
- {BLOCKED}r.nl
- {BLOCKED}dwards.co.uk
- {BLOCKED}ndersonwriter.com
- {BLOCKED}.com
- {BLOCKED}ips.se
- {BLOCKED}gelectrical.com
- {BLOCKED}urch.com
- {BLOCKED}ypugh.com
- {BLOCKED}tesszimmer.de
- {BLOCKED}21.net
- {BLOCKED}ormatique.fr
- {BLOCKED}owntown.com
- {BLOCKED}
- {BLOCKED}-rednitzhembach.de
- {BLOCKED}sloboda.com
- {BLOCKED}ndbuild.co.uk
- {BLOCKED}y.com
- {BLOCKED}roclub.co.uk
- {BLOCKED}ic-studio.com
- {BLOCKED}stbank.com
- {BLOCKED}ngasgovernment.com
- {BLOCKED}rking.com
- {BLOCKED}lom.ru
- {BLOCKED}technologies.com
- {BLOCKED}sapks.com
- {BLOCKED}dowco.com
- {BLOCKED}rakesch.de
- {BLOCKED}n.com
- {BLOCKED}.com
- {BLOCKED}r
- {BLOCKED}ie-ako.sk
- {BLOCKED}.es
- {BLOCKED}sentielle.com
- {BLOCKED}.se
- {BLOCKED}m
- {BLOCKED}akmetmening.online
- {BLOCKED}a.no
- {BLOCKED}or.app
- {BLOCKED}ernoudts.nl
- {BLOCKED}t
- {BLOCKED}-cox.net
- {BLOCKED}be.fun
- {BLOCKED}s.com
- {BLOCKED}mation.fr
- {BLOCKED}eting.pro
- {BLOCKED}paysage.fr
- {BLOCKED}er.com
- {BLOCKED}h
- {BLOCKED}statements.com
- {BLOCKED}nstudentcity.nl
- {BLOCKED}ioning-waalwijk.nl
- {BLOCKED}o
- {BLOCKED}scostablanca.es
- {BLOCKED}itlager.de
- {BLOCKED}ationcentersinhouston.net
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}.se
- {BLOCKED}mboo-bikes.org
- {BLOCKED}o
- {BLOCKED}ezcpa.com
- {BLOCKED}nts.com
- {BLOCKED}chael.net
- {BLOCKED}elix.co.uk
- {BLOCKED}gweek.pl
- {BLOCKED}rdhtx.com
- {BLOCKED}mg.com
- {BLOCKED}com
- {BLOCKED}truction.com
- {BLOCKED}phic.com
- {BLOCKED}com
- {BLOCKED}and.com
- {BLOCKED}uveme.com
- {BLOCKED}
- {BLOCKED}erieurprojecten.nl
- {BLOCKED}.com
- {BLOCKED}dation.org
- {BLOCKED}.com.au
- {BLOCKED}.com
- {BLOCKED}mingvfcomplet.be
- {BLOCKED}
- {BLOCKED}.com
- {BLOCKED}logram.wordpress.com
- {BLOCKED}t.com
- {BLOCKED}versicherungsvergleich.de
- {BLOCKED}ner.dk
- {BLOCKED}rain.com
- {BLOCKED}chert.de
- {BLOCKED}ssay.com
- {BLOCKED}ckcolumbia.com
- {BLOCKED}che-pfarrgemeinde-tuniberg.de
- {BLOCKED}arketing.com
- {BLOCKED}s
- {BLOCKED}alduz.es
- {BLOCKED}care.com
- {BLOCKED}sunpoker.com
- {BLOCKED}.de
- {BLOCKED}nderlebnis.haus
- {BLOCKED}dler.de
- {BLOCKED}otels.com
- {BLOCKED}matology.lt
- {BLOCKED}
- {BLOCKED}en.se
- {BLOCKED}ud.com
- {BLOCKED}reative.com
- {BLOCKED}raktijkheesch.nl
- {BLOCKED}.de
- {BLOCKED}mm.com
- {BLOCKED}.com
- {BLOCKED}rk.com
- {BLOCKED}ks.com
- {BLOCKED}i.ru
- {BLOCKED}jp
- {BLOCKED}nglab.com
- {BLOCKED}ers.com
- {BLOCKED}naltribe.wordpress.com
- {BLOCKED}v-shop.ru
- {BLOCKED}a
- {BLOCKED}t
- {BLOCKED}.com
- {BLOCKED}
- {BLOCKED}al.hr
- {BLOCKED}oaching.nl
- {BLOCKED}ios.com
- {BLOCKED}ys.com
- {BLOCKED}r-oszczednosci.pl
- {BLOCKED}zaar.com
- {BLOCKED}m.info
- {BLOCKED}ulebino-24.ru
- {BLOCKED}b-magdeburg.de
- {BLOCKED}help.com
- {BLOCKED}ik.eu
- {BLOCKED}ey.wordpress.com
- {BLOCKED}ktgodis.se
- {BLOCKED}apor.net
- {BLOCKED}te.fr
- {BLOCKED}alautooverseas.com
- {BLOCKED}rnet.hr
- {BLOCKED}d.salon
- {BLOCKED}
- {BLOCKED}orum.com
- {BLOCKED}arte.de
- {BLOCKED}r-baby.nl
- {BLOCKED}sterdam.com
- {BLOCKED}mm.de
- {BLOCKED}naryoutdoors.com
- {BLOCKED}
- {BLOCKED}ua
- {BLOCKED}
- {BLOCKED}ysalon.com
- {BLOCKED}
- {BLOCKED}online
- {BLOCKED}atsu.net
- {BLOCKED}.com
- {BLOCKED}.ru
- {BLOCKED}om.hk
- {BLOCKED}ons.org
- {BLOCKED}e.org
- {string1}
- wp-content
- include
- content
- uploads
- static
- admin
- data
- news
- {string2}
- images
- pictures
- image
- temp
- tmp
- graphic
- assets
- pics
- game
- {string3}
- jpg
- png
- gif
その他
マルウェアは、以下を実行します。
- It checks for the system’s computer layout and terminates if it is any of the following:
- Russian
- Ukrainian
- Belarusian
- Tajik
- Armenian
- Azeri Latin
- Georgian
- Kazakh
- Kyrgyz
- Turkmen
- Uzbek Latin
- Tatar
- Romanian
- Azerbaijani
- Uzbek
- Syriac
- Arabic Syria
- It searches for files to encrypt in remote drives, fixed drives, removable drives, and network resources.
ランサムウェアの不正活動
マルウェアは、ファイル名に以下の文字列を含むファイルの暗号化はしません。
- ntuser.ini
- desktop.ini
- boot.ini
- thumbs.db
- ntldr
- bootfont.bin
- autorun.inf
- iconcache.db
- bootsect.bak
- ntuser.dat
- ntuser.dat.log
マルウェアは、以下のフォルダ内で確認されたファイルの暗号化はしません。
- intel
- mozilla
- perflogs
- windows.old
- $windows.~ws
- boot
- programdata
- $windows.~bt
- msocache
- system volume information
- appdata
- application data
- $recycle.bin
- tor browser
- program files
- program files (x86)
マルウェアは、暗号化されたファイルのファイル名に以下の拡張子を追加します。
- .{random characters}
マルウェアが作成する以下のファイルは、脅迫状です。
- {Encrypted Directory}\{random characters}-readme.txt
以下のファイル拡張子を持つファイルについては暗号化しません:
- .icl
- .drv
- .deskthemepack
- .ico
- .hta
- .adv
- .bin
- .com
- .bat
- .scr
- .wpx
- .diagcfg
- .mod
- .idx
- .diagpkg
- .mpa
- .rom
- .ics
- .msp
- .theme
- .ocx
- .themepack
- .prf
- .key
- .icns
- .386
- .cmd
- .lock
- .dll
- .ani
- .rtp
- .msstyles
- .shs
- .sys
- .ldf
- .cpl
- .msi
- .msu
- .cab
- .spl
- .lnk
- .diagcab
- .ps1
- .nomedia
- .cur
- .nls
- .hlp
- .msc
- .exe
<補足>
インストール
マルウェアは、以下のプロセスを追加します。
- powershell.exe -e {base-64でエンコードされたコマンド} → シャドウコピーの削除に使用される
情報漏えい
マルウェアは、以下の情報を収集します。
- ユーザ名
- コンピュータ名
- ワークグループ
- システムアーキテクチャ
- オペレーティングシステム(OS)
- プロセッサ情報
その他
マルウェアは、以下を実行します。
- 感染コンピュータのキーボードの配置を確認し、以下のいずれかの場合は自身の不正活動を終了します。
- ロシア語
- ウクライナ語
- ベラルーシ語
- タジク語
- アルメニア語
- アゼルバイジャン語(ラテン文字表記)
- グルジア語
- カザフ語
- キルギス語
- トルクメン語
- ウズベク語(ラテン文字表記)
- タタール語
- ルーマニア語
- アゼルバイジャン語
- ウズベク語
- シリア語
- アラビア語(シリア)
- リモートドライブ、固定ドライブ、リムーバブルドライブ、およびネットワークリソース内で暗号化するファイルを検索します。
対応方法
対応検索エンジン: 9.850
初回 VSAPI パターンバージョン 15.920.08
初回 VSAPI パターンリリース日 2020年6月9日
VSAPI OPR パターンバージョン 15.921.00
VSAPI OPR パターンリリース日 2020年6月10日
手順 1
トレンドマイクロの機械学習型検索は、マルウェアの存在を示す兆候が確認された時点で検出し、マルウェアが実行される前にブロックします。機械学習型検索が有効になっている場合、弊社のウイルス対策製品はこのマルウェアを以下の機械学習型検出名として検出します。
- Troj.Win32.TRX.XXPE50FFF036
手順 2
Windows 7、Windows 8、Windows 8.1、および Windows 10 のユーザは、コンピュータからマルウェアもしくはアドウェア等を完全に削除するために、ウイルス検索の実行前には必ず「システムの復元」を無効にしてください。
手順 3
このマルウェアもしくはアドウェア等の実行により、手順中に記載されたすべてのファイル、フォルダおよびレジストリキーや値がコンピュータにインストールされるとは限りません。インストールが不完全である場合の他、オペレーティングシステム(OS)の条件によりインストールがされない場合が考えられます。手順中に記載されたファイル/フォルダ/レジストリ情報が確認されない場合、該当の手順の操作は不要ですので、次の手順に進んでください。
手順 4
Windowsをセーフモードで再起動します。
[ 詳細 ]
手順 5
このレジストリキーを削除します。
[ 詳細 ]
警告:レジストリはWindowsの構成情報が格納されているデータベースであり、レジストリの編集内容に問題があると、システムが正常に動作しなくなる場合があります。
レジストリの編集はお客様の責任で行っていただくようお願いいたします。弊社ではレジストリの編集による如何なる問題に対しても補償いたしかねます。
レジストリの編集前にこちらをご参照ください。
- HKEY_CURRENT_USER\Software\GitForWindows
手順 6
以下のファイルを検索し削除します。
[ 詳細 ]
コンポーネントファイルが隠しファイル属性の場合があります。[詳細設定オプション]をクリックし、[隠しファイルとフォルダの検索]のチェックボックスをオンにし、検索結果に隠しファイルとフォルダが含まれるようにしてください。 - %User Temp%\{random characters}.bmp
- {Encrypted Directory}\{random characters}-readme.txt
手順 7
コンピュータを通常モードで再起動し、最新のバージョン(エンジン、パターンファイル)を導入したウイルス対策製品を用い、「Ransom.Win32.SODINOKIBI.SMTH」と検出したファイルの検索を実行してください。 検出されたファイルが、弊社ウイルス対策製品により既に駆除、隔離またはファイル削除の処理が実行された場合、ウイルスの処理は完了しており、他の削除手順は特にありません。
手順 8
デスクトッププロパティを修正します。
[ 詳細 ]
手順 9
暗号化されたファイルをバックアップから復元します。
ご利用はいかがでしたか? アンケートにご協力ください
