TROJ_POWELIKS.SHF

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

マルウェアは、実行後、自身を削除します。

侵入方法

マルウェアは、他のマルウェアに作成されるか、悪意あるWebサイトからユーザが誤ってダウンロードすることによりコンピュータに侵入します。

インストール

マルウェアは、以下のフォルダを作成します。

• %Application Data%\pafepe
• %System Root%\_121109_
• %System Root%\5cb954c75c27030fa4bc93bca1
• %System Root%\5cb954c75c27030fa4bc93bca1\update
• %System Root%\_178203_
• %System Root%\d34afe7f25c0863e686183c3

(註：%Application Data%フォルダは、Windows 2000、XP および Server 2003 の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data"、Windows Vista 、 7 、8、8.1 、Server 2008 および Server 2012の場合、"C:\Users\＜ユーザ名＞\AppData\Roaming" です。.. %System Root%フォルダは、オペレーティングシステム(OS)が存在する場所で、いずれのOSでも通常、 "C:" です。.)

他のシステム変更

マルウェアは、以下のレジストリキーを追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION

HKEY_CURRENT_USER\Software\83e77c41

HKEY_LOCAL_MACHINE\SOFTWARE\83e77c41

マルウェアは、以下のレジストリ値を追加します。

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
dllhost.exe = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
explorer.exe = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
iexplore.exe = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
dllhost.exe = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
explorer.exe = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main\FeatureControl\
FEATURE_BROWSER_EMULATION
iexplore.exe = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\83e77c41
13388129 = "{random characters}"

HKEY_CURRENT_USER\Software\83e77c41
13388129 = "{random characters}"

HKEY_LOCAL_MACHINE\SOFTWARE\83e77c41
849db534 = "883"

HKEY_CURRENT_USER\Software\83e77c41
849db534 = "883"

HKEY_LOCAL_MACHINE\SOFTWARE\83e77c41
f515519e = "BE4AD11FE11C1865"

HKEY_CURRENT_USER\Software\83e77c41
f515519e = "BE4AD11FE11C1865"

HKEY_LOCAL_MACHINE\SOFTWARE\83e77c41
41a9fda4 = "1436200426"

HKEY_CURRENT_USER\Software\83e77c41
41a9fda4 = "1436200426"

HKEY_LOCAL_MACHINE\SOFTWARE\83e77c41
65263b4f = "%Application Data%\pafepe\pafepe.exe"

HKEY_CURRENT_USER\Software\83e77c41
65263b4f = "%Application Data%\pafepe\pafepe.exe"

HKEY_LOCAL_MACHINE\SOFTWARE
C348DE15E6AD46B5 = "C348DE15E6AD46B5"

HKEY_LOCAL_MACHINE\SOFTWARE
D8C9CE5D053E21408 = "D8C9CE5D053E21408"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Setup
LogLevel = "2"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Setup
LogLevel = "0"

マルウェアは、以下のレジストリ値を変更します。

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1206 = "0"

(註：変更前の上記レジストリ値は、「3」となります。)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
2300 = "0"

(註：変更前の上記レジストリ値は、「1」となります。)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1809 = "3"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1206 = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
2300 = "0"

(註：変更前の上記レジストリ値は、「1」となります。)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\1
1809 = "3"

(註：変更前の上記レジストリ値は、「3」となります。)

作成活動

マルウェアは、以下のファイルを作成します。

• %Application Data%\pafepe\pafepe.exe
• %User Temp%\WindowsXP-KB968930-x86-ENG.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\eventforwarding.adm
• %System Root%\5cb954c75c27030fa4bc93bca1\windowsremotemanagement.adm
• %System Root%\5cb954c75c27030fa4bc93bca1\windowsremoteshell.adm
• %System Root%\5cb954c75c27030fa4bc93bca1\windowspowershellhelp.chm
• %System Root%\5cb954c75c27030fa4bc93bca1\winrm.cmd
• %System Root%\5cb954c75c27030fa4bc93bca1\compiledcomposition.microsoft.powershell.gpowershell.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.backgroundintelligenttransfer.management.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.backgroundintelligenttransfer.management.interop.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.backgroundintelligenttransfer.management.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.diagnostics.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.diagnostics.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.management.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.management.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.utility.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.utility.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.consolehost.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.consolehost.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.editor.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.editor.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.gpowershell.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.gpowershell.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.graphicalhost.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.graphicalhost.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.security.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.security.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.wsman.management.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.wsman.management.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.wsman.runtime.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\powershell_ise.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\pspluginwkr.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\pwrshmsg.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\pwrshplugin.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\pwrshsip.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\spmsg.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\system.management.automation.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\system.management.automation.resources.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\wevtfwd.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\winrmprov.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\winrscmd.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\winrsmgr.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\winrssrv.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmauto.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmplpxy.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmres.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmsvc.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmwmipl.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\powershell.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\powershell_ise.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\pscustomsetuputil.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\pssetupnativeutils.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\spuninst.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\spupdsvc.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\winrs.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\winrshost.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmanhttpconfig.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmprovhost.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\wtrinstaller.ico
• %System Root%\5cb954c75c27030fa4bc93bca1\winrm.ini
• %System Root%\5cb954c75c27030fa4bc93bca1\winrmprov.mof
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmauto.mof
• %System Root%\5cb954c75c27030fa4bc93bca1\powershell.exe.mui
• %System Root%\5cb954c75c27030fa4bc93bca1\profile.ps1
• %System Root%\5cb954c75c27030fa4bc93bca1\bitstransfer.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\certificate.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\diagnostics.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\dotnettypes.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\filesystem.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\getevent.types.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\help.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\powershellcore.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\powershelltrace.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\registry.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\types.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\wsman.format.ps1xml
• %System Root%\5cb954c75c27030fa4bc93bca1\bitstransfer.psd1
• %System Root%\5cb954c75c27030fa4bc93bca1\importallmodules.psd1
• %System Root%\5cb954c75c27030fa4bc93bca1\about_aliases.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_arithmetic_operators.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_arrays.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_assignment_operators.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_automatic_variables.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_bits_cmdlets.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_break.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_command_precedence.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_command_syntax.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_comment_based_help.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_commonparameters.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_comparison_operators.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_continue.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_core_commands.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_data_sections.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_debuggers.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_do.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_environment_variables.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_escape_characters.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_eventlogs.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_execution_policies.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_for.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_foreach.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_format.ps1xml.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_functions.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_functions_advanced.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_functions_advanced_methods.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_functions_advanced_parameters.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_functions_cmdletbindingattribute.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_hash_tables.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_history.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_if.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_job_details.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_jobs.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_join.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_language_keywords.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_line_editing.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_locations.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_logical_operators.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_methods.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_modules.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_objects.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_operators.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_parameters.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_parsing.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_path_syntax.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_pipelines.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_preference_variables.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_profiles.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_prompts.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_properties.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_providers.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_pssession_details.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_pssessions.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_pssnapins.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_quoting_rules.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_redirection.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_ref.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_regular_expressions.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_remote.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_remote_faq.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_remote_jobs.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_remote_output.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_remote_requirements.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_remote_troubleshooting.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_requires.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_reserved_words.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_return.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_scopes.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_script_blocks.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_script_internationalization.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_scripts.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_session_configurations.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_signing.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_special_characters.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_split.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_switch.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_throw.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_transactions.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_trap.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_try_catch_finally.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_type_operators.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_types.ps1xml.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_variables.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_while.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_wildcards.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_windows_powershell_2.0.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_windows_powershell_ise.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_wmi_cmdlets.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\about_ws-management_cmdlets.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\default.help.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\winrm.vbs
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.backgroundintelligenttransfer.management.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.diagnostics.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.management.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.commands.utility.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.consolehost.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.powershell.security.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\microsoft.wsman.management.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\system.management.automation.dll-help.xml
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmpty.xsl
• %System Root%\5cb954c75c27030fa4bc93bca1\wsmtxt.xsl
• %System Root%\5cb954c75c27030fa4bc93bca1\update\kb968930xp.cat
• %System Root%\5cb954c75c27030fa4bc93bca1\update\spcustom.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\update\updspapi.dll
• %System Root%\5cb954c75c27030fa4bc93bca1\update\update.exe
• %System Root%\5cb954c75c27030fa4bc93bca1\update\update.inf
• %System Root%\5cb954c75c27030fa4bc93bca1\update\eula.txt
• %System Root%\5cb954c75c27030fa4bc93bca1\update\update.ver
• %System Root%\5cb954c75c27030fa4bc93bca1\$shtdwn$.req
• %System Root%\d34afe7f25c0863e686183c3\eventforwarding.adm
• %System Root%\d34afe7f25c0863e686183c3\windowsremotemanagement.adm
• %System Root%\d34afe7f25c0863e686183c3\windowsremoteshell.adm
• %System Root%\d34afe7f25c0863e686183c3\windowspowershellhelp.chm
• %System Root%\d34afe7f25c0863e686183c3\winrm.cmd
• %System Root%\d34afe7f25c0863e686183c3\compiledcomposition.microsoft.powershell.gpowershell.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.backgroundintelligenttransfer.management.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.backgroundintelligenttransfer.management.interop.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.backgroundintelligenttransfer.management.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.commands.diagnostics.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.commands.diagnostics.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.commands.management.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.commands.management.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.commands.utility.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.commands.utility.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.consolehost.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.consolehost.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.editor.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.editor.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.gpowershell.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.gpowershell.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.graphicalhost.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.graphicalhost.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.security.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.powershell.security.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.wsman.management.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.wsman.management.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\microsoft.wsman.runtime.dll
• %System Root%\d34afe7f25c0863e686183c3\powershell_ise.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\pspluginwkr.dll
• %System Root%\d34afe7f25c0863e686183c3\pwrshmsg.dll
• %System Root%\d34afe7f25c0863e686183c3\pwrshplugin.dll
• %System Root%\d34afe7f25c0863e686183c3\pwrshsip.dll
• %System Root%\d34afe7f25c0863e686183c3\spmsg.dll
• %System Root%\d34afe7f25c0863e686183c3\system.management.automation.dll
• %System Root%\d34afe7f25c0863e686183c3\system.management.automation.resources.dll
• %System Root%\d34afe7f25c0863e686183c3\wevtfwd.dll
• %System Root%\d34afe7f25c0863e686183c3\winrmprov.dll
• %System Root%\d34afe7f25c0863e686183c3\winrscmd.dll
• %System Root%\d34afe7f25c0863e686183c3\winrsmgr.dll
• %System Root%\d34afe7f25c0863e686183c3\winrssrv.dll
• %System Root%\d34afe7f25c0863e686183c3\wsmauto.dll
• %System Root%\d34afe7f25c0863e686183c3\wsmplpxy.dll
• %System Root%\d34afe7f25c0863e686183c3\wsmres.dll
• %System Root%\d34afe7f25c0863e686183c3\wsmsvc.dll
• %System Root%\d34afe7f25c0863e686183c3\wsmwmipl.dll

その他

マルウェアは、以下の不正なWebサイトにアクセスします。

• http://{BLOCKED}.67.5
• http://{BLOCKED}.67.5/{random path}
• {BLOCKED}0.188.221
• {BLOCKED}.210.155
• {BLOCKED}4.56.109
• {BLOCKED}.221.112
• {BLOCKED}6.145.12
• {BLOCKED}1.139.10
• {BLOCKED}7.107.77
• {BLOCKED}8.68.182
• {BLOCKED}5.254.133
• {BLOCKED}2.103.69
• {BLOCKED}.84.174
• {BLOCKED}8.97.77
• {BLOCKED}.190.196
• {BLOCKED}.46.15
• {BLOCKED}1.150.130
• {BLOCKED}.238.203
• {BLOCKED}.41.136
• {BLOCKED}1.238.157
• {BLOCKED}.100.65
• {BLOCKED}.18.214
• {BLOCKED}141.82
• {BLOCKED}3.3.215
• {BLOCKED}.159.201
• {BLOCKED}.165.87
• {BLOCKED}177.159
• {BLOCKED}20.149
• {BLOCKED}5.142.30
• {BLOCKED}.102.222
• {BLOCKED}5.102.14
• {BLOCKED}1.26.4
• {BLOCKED}.151.107
• {BLOCKED}.161.37
• {BLOCKED}161.193
• {BLOCKED}8.212.125
• {BLOCKED}183.77
• {BLOCKED}116.25
• {BLOCKED}5.184.239
• {BLOCKED}3.172.138
• {BLOCKED}.5.229
• {BLOCKED}.129.224
• {BLOCKED}2.32.148
• {BLOCKED}75.44
• {BLOCKED}.12.143
• {BLOCKED}0.168.183
• {BLOCKED}8.15.180
• {BLOCKED}250.35
• {BLOCKED}2.196
• {BLOCKED}.233.211
• {BLOCKED}1.55.212
• {BLOCKED}1.64.34
• {BLOCKED}4.192.200
• {BLOCKED}6.242.180
• {BLOCKED}.16.234
• {BLOCKED}.239.221
• {BLOCKED}5.81.112
• {BLOCKED}9.124.117
• {BLOCKED}.160.240
• {BLOCKED}.201.45
• {BLOCKED}0.71.221
• {BLOCKED}5.104.76
• {BLOCKED}.141.196
• {BLOCKED}.247.253
• {BLOCKED}41.113
• {BLOCKED}59.191
• {BLOCKED}123.144
• {BLOCKED}.79.19
• {BLOCKED}6.209.20
• {BLOCKED}9.207.112
• {BLOCKED}.208.34
• {BLOCKED}7.175.36
• {BLOCKED}4.33.155
• {BLOCKED}0.156.65
• {BLOCKED}.243.184
• {BLOCKED}.47.209
• {BLOCKED}6.117.9
• {BLOCKED}.131.10
• {BLOCKED}37.105
• {BLOCKED}.54.41
• {BLOCKED}37.230
• {BLOCKED}.207.130
• {BLOCKED}2.131.71
• {BLOCKED}.160.17
• {BLOCKED}0.23.113
• {BLOCKED}0.235.157
• {BLOCKED}9.101.86
• {BLOCKED}.179.59
• {BLOCKED}10.144
• {BLOCKED}8.248.202
• {BLOCKED}9.69.2
• {BLOCKED}.180.122
• {BLOCKED}204.212
• {BLOCKED}.75.72
• {BLOCKED}199.166
• {BLOCKED}165.204
• {BLOCKED}.113.136
• {BLOCKED}9.48.228
• {BLOCKED}.194.44
• {BLOCKED}1.11.167
• {BLOCKED}.49.77
• {BLOCKED}93.16
• {BLOCKED}.212.63
• {BLOCKED}.242.16
• {BLOCKED}0.21.114
• {BLOCKED}0.199.168
• {BLOCKED}62.43
• {BLOCKED}3.6.41
• {BLOCKED}4.111.94
• {BLOCKED}5.67.35
• {BLOCKED}94.87
• {BLOCKED}.7.32
• {BLOCKED}.119.222
• {BLOCKED}6.219.103
• {BLOCKED}8.147.191
• {BLOCKED}69.113
• {BLOCKED}.153.199
• {BLOCKED}.49.13
• {BLOCKED}117.59
• {BLOCKED}.71.43
• {BLOCKED}.51.140
• {BLOCKED}6.246.57
• {BLOCKED}.143.80
• {BLOCKED}219.72
• {BLOCKED}71.98
• {BLOCKED}.70.143
• {BLOCKED}.205.142
• {BLOCKED}136.71
• {BLOCKED}.123.164
• {BLOCKED}132.236
• {BLOCKED}174.85
• {BLOCKED}8.174.226
• {BLOCKED}3.210.96
• {BLOCKED}.25.10
• {BLOCKED}.77.2
• {BLOCKED}9.50.7
• {BLOCKED}6.33.39
• {BLOCKED}7.35.219
• {BLOCKED}9.90.200
• {BLOCKED}.250.89
• {BLOCKED}.209.165
• {BLOCKED}8.234.132
• {BLOCKED}.80.149
• {BLOCKED}242.108
• {BLOCKED}.27.101
• {BLOCKED}17.46
• {BLOCKED}.184.21
• {BLOCKED}.31.20
• {BLOCKED}.239.163
• {BLOCKED}.93.146
• {BLOCKED}57.103
• {BLOCKED}6.232.84
• {BLOCKED}.51.170
• {BLOCKED}2.196.32
• {BLOCKED}7.182.29
• {BLOCKED}6.73.95
• {BLOCKED}.50.8
• {BLOCKED}.186.116
• {BLOCKED}.136.186
• {BLOCKED}5.149.42
• {BLOCKED}.24.140
• {BLOCKED}.215.51
• {BLOCKED}.177.64
• {BLOCKED}0.204.184
• {BLOCKED}8.201.246
• {BLOCKED}8.104.187
• {BLOCKED}2.73.128
• {BLOCKED}.58.130
• {BLOCKED}.246.97

マルウェアは、実行後、自身を削除します。

このウイルス情報は、自動解析システムにより作成されました。