TSPY_TRICKBOT.THOIBEAI

トレンドマイクロは、このマルウェアをNoteworthy（要注意）に分類しました。

マルウェアは、2018年11月に主にアメリカ、カナダ、フィリピンのユーザに影響を及ぼしたバンキングトロジャン（オンライン銀行詐欺ツール）「TrickBot」の亜種です。この亜種には、アプリケーションやブラウザから認証情報を窃取する、パスワード窃取モジュール「pwgrab32」が追加されています。

スパイウェアは、感染コンピュータや感染ユーザから特定の情報を収集します。

スパイウェアは、特定のWebサイトにアクセスし、情報を送受信します。

インストール

スパイウェアは、以下のファイルを作成します。

• %Application Data%\AIMT\FAQ -> contains Victim's Unique ID
• %Application Data%\AIMT\info.dat
• %Application Data%\AIMT\Readme.md -> Group Tag
• %Application Data%\AIMT\Modules\pwgrab32 -> Encrypted module that is used to steal internet login credentials such as Internet Explorer, Mozilla Firefox, Google Chrome, Microsoft Edge, Filezilla, WinSCP and Microsoft Outlook
• %Application Data%\AIMT\Modules\tabDll32 -> Encrypted module that is used for its lateral movement in the infected machine's network
• %Application Data%\AIMT\Modules\shareDll32 -> Encrypted module that is used to propagate itself via SMB and LDAP queries. It is used together with wormDll32
• %Application Data%\AIMT\Modules\wormDll32 -> Encrypted module that is used to propagate itself via SMB and LDAP queries. It is used together with sharedll32dll
• %Application Data%\AIMT\Modules\importDll32 -> Encrypted module that steals credentials from Internet Applications
• %Application Data%\AIMT\Modules\injectDll32 -> Encrypted module that monitors banking-related websites/URLs
• %Application Data%\AIMT\Modules\mailsearcher32 -> Encrypted module that searches for email addresses in the infected machine
• %Application Data%\AIMT\Modules\networkDll32 -> Encrypted module that performs network scanning/mapping
• %Application Data%\AIMT\Modules\systeminfo32 -> Encrypted module that gathers system information of the infected machine
• %Application Data%\AIMT\Modules\injectDll32_configs\sinj -> Encrypted configuration that lists websites that will be redirected to a specific phishing URL
• %Application Data%\AIMT\Modules\injectDll32_configs\dinj -> Encrypted configuration that lists websites to be monitored
• %Application Data%\AIMT\Modules\injectDll32_configs\dpost ->Encrypted configuration that lists C&C servers that receives stolen data from monitored websites
• %Application Data%\AIMT\Modules\networkDll32_configs\dpost -> Encrypted configuration that lists C&C servers that will receive stolen network information
• %Application Data%\AIMT\Modules\mailsearcher32_configs\mailconf -> Encrypted configuration that lists C&C servers that will receive stolen email addresses
• %Application Data%\AIMT\Modules\pwgrab32_configs\dpost -> Encrypted configuration that lists C&C servers that will receive stolen credentials
• %Application Data%\AIMT\Modules\tabDll32_configs\dpost -> Encrypted configuration that lists C&C servers that will receive stolen credentials

(註：%Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000、XP、Server 2003の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Roaming" です。)

スパイウェアは、感染したコンピュータ内に以下のように自身のコピーを作成します。

• %Application Data%\AIMT\{slight variation of dropped file name}.exe
• %Windows%\mssvca.exe -> Dropped only when propagating through Administrative Shares
• %System%\mssvca.exe -> Dropped only when propagating through Administrative Shares
• %System Root%\mssvca.exe -> Dropped only when propagating through Administrative Shares

(註：%Application Data%フォルダは、現在ログオンしているユーザのアプリケーションデータフォルダです。Windows 2000、XP、Server 2003の場合、通常 "C:\Documents and Settings\＜ユーザ名＞\Local Settings\Application Data" です。また、Windows Vista、7、8の場合、通常 "C:\Users\＜ユーザ名＞\AppData\Roaming" です。. %Windows%フォルダは、Windowsが利用するフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows" です。.. %System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.. %System Root%フォルダは、オペレーティングシステム(OS)が存在する場所で、いずれのOSでも通常、 "C:" です。.)

自動実行方法

スパイウェアは、以下のサービスを追加し、実行します。

• the Service Path could either be any of the following:
  
  • %System Root%\mssvca.exe
  • %Windows%\mssvca.exe
  • %System%\mssvca.exe
  While the Service Display Name could either be any of the following:
  
  • Service Techno
  • Service_Techno2
  • Technics-service2
  • Technoservices
  • Advanced-Technic-Service
  • ServiceTechno5
  • New ServiceTech2
  • Techserver3

(註：%System%フォルダは、システムフォルダで、いずれのオペレーティングシステム(OS)でも通常、"C:\Windows\System32" です。.)

情報漏えい

スパイウェアは、以下の情報を収集します。

• OS information (Architecture, Caption, CSDVersion)
• CPU Information (Name)
• Memory Information
• User Accounts
• Installed Programs
• Installed Services
• IP Configuration
• Network Information (Configuration, Users, Domain Settings)
• Email addresses
• Credentials in the following Applications:
  
  • Microsoft Outlook
  • Filezilla
  • WinSCP
• Internet Credentials (Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox):
  
  • Usernames and Passwords
  • Internet Cookies
  • Browsing History
  • Autofills
  • HTTP Posts responses

その他

スパイウェアは、以下のWebサイトにアクセスし、情報を送受信します。

• {BLOCKED}.{BLOCKED}.{BLOCKED}.229:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.198:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.186:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.215:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.230:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.149:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.142:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
• {BLOCKED}.{BLOCKED}.{BLOKCED}.177:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.231:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.206:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.91:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.44:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.148:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.230:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.147:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.119:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.163:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.169:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.118:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.74:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.41:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.54:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.126:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.183:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.89:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.197:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.49:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.112:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.112:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.107:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.170:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.85:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.113:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.84:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.50:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.12:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.22:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.229:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.198:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.186:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.215:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.230:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.149:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.142:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.177:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.231:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.206:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.91:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.44:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.148:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.230:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.230:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.149:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.142:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.177:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.231:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.206:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.91:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.44:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.148:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.230:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.147:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.119:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.163:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.169:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.118:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.74:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.41:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.54:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.126:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.183:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.66:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.89:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.197:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.49:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.112:449
• {BLOCKED}.{BLOCKED}.{BLOCKED}.112:443
• {BLOCKED}.{BLOCKED}.{BLOCKED}.251/radiance.png

＜補足＞
インストール

スパイウェアは、以下のファイルを作成します。

• %Application Data%\AIMT\FAQ →ユーザの固有IDが含まれるファイル
• %Application Data%\AIMT\info.dat
• %Application Data%\AIMT\Readme.md →グループタグ
• %Application Data%\AIMT\Modules\pwgrab32 →Internet Explorer（IE）、Mozilla Firefox、Google Chrome、Microsoft Edge、Filezilla、WinSCP、Microsoft Outlookなどのインターネットログイン認証情報の窃取に使用される暗号化されたモジュール
• %Application Data%\AIMT\Modules\tabDll32 →感染PCのネットワーク内での情報探索活動に使用される暗号化されたモジュール
• %Application Data%\AIMT\Modules\shareDll32 →SMBおよびLDAPクエリを介して自身を拡散するために使用される暗号化されたモジュール。wormDll32とあわせて使用される
• %Application Data%\AIMT\Modules\wormDll32 →SMBおよびLDAPクエリを介して自身を拡散するために使用される暗号化されたモジュール。sharedll32dllとあわせて使用される
• %Application Data%\AIMT\Modules\importDll32 →インターネットアプリケーションから認証情報を窃取する暗号化されたモジュール
• %Application Data%\AIMT\Modules\injectDll32 →オンラインバンキング関連のWebサイトやURLを監視する暗号化されたモジュール
• %Application Data%\AIMT\Modules\mailsearcher32 →感染PCのEメールアドレスを検索する暗号化されたモジュール
• %Application Data%\AIMT\Modules\networkDll32 →ネットワークスキャンおよびマッピングを実行する暗号化されたモジュール
• %Application Data%\AIMT\Modules\systeminfo32 →感染PCのシステム情報を収集する暗号化されたモジュール
• %Application Data%\AIMT\Modules\injectDll32_configs\sinj →特定のフィッシングサイトにリダイレクトされるWebサイトを一覧表示する暗号化された設定ファイル
• %Application Data%\AIMT\Modules\injectDll32_configs\dinj →監視対象のWebサイトを一覧表示する暗号化された設定ファイル
• %Application Data%\AIMT\Modules\injectDll32_configs\dpost ->監視対象のWebサイトから窃取したデータを受信するC&Cサーバを一覧表示する暗号化された設定ファイル
• %Application Data%\AIMT\Modules\networkDll32_configs\dpost →窃取したネットワーク情報を受信するC&Cサーバを一覧表示する暗号化された設定ファイル
• %Application Data%\AIMT\Modules\mailsearcher32_configs\mailconf →窃取したEメールアドレスを受信するC&Cサーバを一覧表示する暗号化された設定ファイル
• %Application Data%\AIMT\Modules\pwgrab32_configs\dpost →窃取した認証情報を受信するC&Cサーバを一覧表示する暗号化された設定ファイル
• %Application Data%\AIMT\Modules\tabDll32_configs\dpost →窃取された認証情報を受信するC&Cサーバを一覧表示する暗号化された設定ファイル

スパイウェアは、感染コンピュータ内に以下のように自身のコピーを作成します。

• %Application Data%\AIMT\{作成されたファイル名に似ているが異なるファイル名}.exe
• %Windows%\mssvca.exe →管理共有を介して拡散する場合にのみ作成される
• %System%\mssvca.exe →管理共有を介して拡散する場合にのみ作成される
• %System Root%\mssvca.exe →管理共有を介して拡散する場合にのみ作成される

自動実行方法

スパイウェアは、以下のサービスを追加し、実行します。

• サービスパスは以下のいずれかとなります。
  • %System Root%\mssvca.exe
  • %Windows%\mssvca.exe
  • %System%\mssvca.exe
    
    サービスの表示名は以下のいずれかです。
  • Service Techno
  • Service_Techno2
  • Technics-service2
  • Technoservices
  • Advanced-Technic-Service
  • ServiceTechno5
  • New ServiceTech2
  • Techserver3

情報漏えい

スパイウェアは、以下の情報を収集します。

• オペレーティングシステム（OS）情報（アーキテクチャ、キャプション、CSDバージョン）
• CPU情報（名前）
• メモリ情報
• ユーザアカウント
• インストールされているプログラム
• インストールされているサービス
• IP設定
• ネットワーク情報（環境設定、ユーザ、ドメイン設定）
• Eメールアドレス
• 以下のアプリケーションの認証情報
  • Microsoft Outlook
  • Filezilla
  • WinSCP
• インターネット認証情報(Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox)
  • ユーザ名とパスワード
  • Internet Cookies
  • 閲覧履歴
  • オートフィル
  • HTTP Postの応答

その他

スパイウェアは、以下を実行します。

• SMBおよびLDAPクエリを介してネットワーク全体に拡散します。
• 認証情報や機密情報を窃取するために、以下のオンラインバンキング関連のWebサイト/URLを監視します。
  • https://*.netteller.com/favicon.ico?*
  • *netteller.com/login2008/Authentication*
  • *favicon.ico=2dd2038048c763fc5f9174ae466cdb9c*
  • *.com/SPF/Login/Auth.aspx*
  • *.com/SPF/Login/favicon.ico?*
  • *favicon.ico=f7caf50483938302d86aa228d161e435*
  • */Authentication/Login*
  • */Accounts/AccountOverview.asp*
  • *favicon.ico=250717644273414e5c73a3c8997564da*
  • *.onlinebank.com/*/AOP/*.aspx*
  • *.onlinebank.com/*/AOP/favicon.ico?*
  • *partnersfcu.org/OnlineBanking/*aspx*
  • *partnersfcu.org/OnlineBanking/AOP/favicon.ico?*
  • *favicon.ico=ff358d7f67bc0f7e81b014655e34d0a5*
  • *.com/pub/html/login.html*
  • *.com/pub/html/favicon.ico*
  • *favicon.ico=843729ac35951a040681c469b4a89c0b*
  • */EBC_EBC1961/*
  • *favicon.ico=8735fa9cc59a7353f49756e81c2b3908*
  • *.com/fi*/bb/*
  • *.com/fi*/pb/*
  • *.com/fi*/retail/*
  • *.com/fnfg/retail/*
  • *.com/fi*/bb/favicon.ico?*
  • *.com/fi*/pb/favicon.ico?*
  • *.com/fi*/retail/favicon.ico?*
  • *.com/fnfg/retail/favicon.ico?*
  • *favicon.ico=be7cd95e4b5e89eb1f1d895abab1ee71*
  • */bbw/cmserver/welcome*
  • *favicon.ico=99f2a20d3dd8a354fbc8ed3a239f199f*
  • *pib*.secure-banking.com/*
  • *favicon.ico=f7205f82fdf9559db38d202eb9459348*
  • *.blilk.com/Core/Authentication/MFA*
  • *favicon.ico=a857aaab644de080328d45292893e479*
  • *secure.fundsxpress.com/piles/fxweb.pile/*
  • https://*secure.fundsxpress.com/*/fx?*
  • https://*secure.fundsxpress.com/*/favicon.ico?*
  • https://*secure.fundsxpress.com/start/*
  • https://*secure.fundsxpress.com/favicon.ico?
  • *favicon.ico=a6009ccf2264af7978f45f2a332eb392*
  • */onlineserv/CM*
  • *favicon.ico=5326bab1f1f827912468392860f6eb14*
  • *cey-ebanking.com/CLKCCM/*
  • *favicon.ico=70e9ac7e38a9df5092783b632c859cc7*
  • *engine/login/businesslogin*
  • *favicon.ico=01390a8c1c3cfb9918d799ad2a73dd84*
  • */business/j_security_check*
  • */business/login/Login.jsp*
  • */business/cts_security_precheck*
  • https://secure.*/LookAndFeel/Common/images/common/share.png?favicon.ico*
  • *favicon.ico=74536be4f9c2db6ca8c01a8054e1338a*
  • *corporatebankingweb/core/*
  • *favicon.ico=d73a726d92acc898bbbb175d3ab3337e*
  • *.ebanking-services.com/*.asp*
  • *.ebanking-services.com/*/*favicon.ico*
  • *favicon.ico=ce2bb103af1a10241de273caa885dbdd*
  • *secure.myvirtualbranch.com*
  • *favicon.ico=c8d027c1b29ac0def84ddfac56e682c8*
  • */wcmfd/wcmpw/CustomerLogin*
  • */wcmfd/wcmpw/favicon.ico*
  • *favicon.ico=9d0cf5e88c1fbcc637b90b76128d6bb9*
  • */rcrd/1529299416322016*
  • https://olb.bbvacompass.com/secure-auth/login*
  • https://olb.bbvacompass.com/secure/accountsummary*
  • https://olb.bbvacompass.com/secure-il/api/auth/public/signon*
  • https://www.bbvacompass.com/
  • */rcrd/1538497062765600*
  • https://*runpayroll.adp.com/*
  • */rcrd/1527170714082509*
  • https://*banking.sparda.de/wps/loggedout.jsp
  • https://*banking.sparda-*
  • https://*banking.sparda.de*
  • */rcrd/1535730754439313*
  • *authmaint.td.com*index.html*
  • *authentication.td.com*
  • *easyweb.td.com*
  • */rcrd/1529423905024754*
  • https*wellsfargo.com*
  • */rcrd/1528137865954561*
  • https://bank.bbt.com/mfapp/web/myfi/home*
  • https://bank.bbt.com/auth/kba_reg_update.tb*
  • https://bank.bbt.com/mfapp/web/myfi/profile*
  • https://bank.bbt.com/auth/pwd.tb*
  • https://bank.bbt.com/auth/kba_reg_update.tb?action=ZmV0Y2g=
  • */rcrd/1530558791571849*
  • https://online.citi.com/US/JSO/signoff/*
  • https://online.citi.com/US/login*
  • https://online.citi.com/US/CBOL/ain/car*
  • https://online.citi.com/US/NCMF/csq/flow.action*
  • https://online.citi.com/US/JRS/contactinfo/initialiseContactInfo*
  • ttps://accountonline.citi.com/cards/svc/Login*
  • https://online.citi.com/US/banking/citi*
  • https://online.citi.com/US/JSO/loginpage/retarget*
  • https://online.citi.com/US/ag/ContactInfo*
  • https://online.citi.com/US/JSO/signon/uname/*
  • https://online.citi.com/US/ag/mrc/*
  • https://online.citi.com/US/NCMF/csq/ResetQuestions.do*
  • https://online.citi.com/US/NCAO/cli/flow*
  • https://online.citi.com/US/NCAO/cli/flow*
  • https://www.citi.com/credit-cards/*
  • https://online.citi.com/US/JPS/portal/*
  • https://online.citi.com/US/JRS/login*
  • https://online.citi.com/US/JRS/portal/*
  • https://online.citi.com/US/JSO/signon/ProcessUsernameSignon.do
  • https://online.citi.com/US/JRS/pands/*
  • */rcrd/1527171026496719*
  • https://*kunde.comdirect.de*
  • https://*comdirect.de/lp/wt/login*
  • */rcrd/1539874619588916*
  • https://global.americanexpress.com/myca/logon/emea/action
  • */rcrd/1527164097084304*
  • https://www.cibc.com/??/small-business*
  • https://www.cibc.com/??/personal-banking*
  • https://www.cibconline.cibc.com/ebm-resources/public/banking/cibc/client/web/*
  • https://www.cibconline.cibc.com/olbtxn/*
  • https://*cibc.com/*
  • */rcrd/1527164294934631*
  • https://*commerzbank.de*
  • */rcrd/1527164275923785*
  • *bvi.bnc.ca*
  • */rcrd/1533809766692683*
  • https://www.onlinebanking.pnc.com/alservlet/MyAccountsServlet
  • https://www.onlinebanking.pnc.com/alservlet/ValidateUserIdPasswordServlet
  • https://www.onlinebanking.pnc.com/alservlet/PNCOnlineBankingServlet
  • https://www.onlinebanking.pnc.com/alservlet/ModifySecurityQuestionsServlet*
  • https://www.onlinebanking.pnc.com/alservlet/ModifySecurityQuestionsConfirmationServlet
  • */rcrd/1536081411070630*
  • https://www.capitalone.com/
  • https://verified.capitalone.com/sic-ui/*
  • */rcrd/1527162575196753*
  • https://*ebanking.bawagpsk.com/InternetBanking*
  • */rcrd/1527164985687384*
  • https://www*.scotiaonline.scotiabank.com/online/*
  • */rcrd/1527162060949058*
  • http://*acc*desjardins.com*
  • https://accweb.mouv.desjardins.com/identifiantunique/identification*
  • https://accesd.mouv.desjardins.com/sommaire-perso/sommaire/detention*
  • https://accweb.mouv.desjardins.com/identifiantunique/securite*
  • https://accweb.mouv.desjardins.com/identifiantunique/authentification*
  • */rcrd/1536176590679564*
  • https://onlinebanking.mtb.com/Login/MTBSignOn
  • https://onlinebanking.mtb.com/
  • https://onlinebanking.mtb.com/Accounts/AccountSummary
  • https://onlinebanking.mtb.com/CustomerService/MyProfile
  • https://onlinebanking.mtb.com/CustomerService/MyProfileEdit
  • */rcrd/1534870214732286*
  • https://online.lloydsbank.co.uk/personal/primarylogin
  • https://secure.lloydsbank.co.uk/personal/a/logon/entermemorableinformation.jsp*
  • */rcrd/1538078076441901*
  • https://secure.halifax-online.co.uk/personal/a/logon/entermemorableinformation.jsp*
  • https://www.halifax-online.co.uk/personal/primarylogin
  • */rcrd/1527162620975004*
  • https://*targobank.de*
  • */rcrd/1527162502077171*
  • https://*raiffeisen*.at/group/club*
  • https://*raiffeisen*.at/logincenter*
  • https://*raiffeisen*.at/group/private*
  • */rcrd/1536679059633197*
  • https://*.suntrust.com*
  • https://onlinebanking.suntrust.com/UI/ajax/clientservice/changeSecurityQA
  • */rcrd/1531737415491610*
  • https://onlinebanking.tdbank.com/
  • https://onlinebanking.tdbank.com/ngp_api/v1/security/user/session
  • 123tdbank.com123*
  • */rcrd/1527163537124692*
  • */getq/1527163537124692/qZaiUryN1C*
  • https://www.amazon.co.uk/*
  • https://www.amazon.co.uk/ap/signin
  • https://www.amazon.co.uk/gp/yourstore/home*
  • */rcrd/1530801754727167*
  • https://*lms.schwab.com/Login/*
  • https://*client.schwab.com/*
  • */rcrd/1527612058812310*
  • https://www.bankofamerica.com/homepage/overview*
  • https://secure.bankofamerica.com/transfers/*
  • https://www.bankofamerica.com/smallbusiness/
  • https://www.bankofamerica.com/smallbusiness/?*
  • https://secure.bankofamerica.com/myaccounts/brain/redirect.go?source*
  • https://secure.bankofamerica.com/myaccounts/details/deposit/information-services.go*
  • https://secure.bankofamerica.com/myaccounts/brain/redirect.go?target=acc*
  • https://www.bankofamerica.com/onlinebanking/online-banking.go
  • https://secure.bankofamerica.com/mycommunications/statements/statement.go*
  • https://secure.bankofamerica.com/myaccounts/details/deposit/account-details.go*
  • https://secure.bankofamerica.com/customer/manageContacts*
  • https://secure.bankofamerica.com/login/edit/sm/redirectSecurityCenter.go*
  • https://secure.bankofamerica.com/login/sign-in/incoming/sitekeyWidgetScript.go*
  • https://www.bankofamerica.com/?*
  • https://www.bankofamerica.com/homepage/smallbusiness*
  • https://www.bankofamerica.com/smallbusiness/online-banking.go
  • https://www.bankofamerica.com/index.jsp*
  • https://secure.bankofamerica.com/login/sitekey/skmaint.go*
  • https://www.bankofamerica.com/sitemap/hub/signin.go
  • https://www.bankofamerica.com/
  • https://secure.bankofamerica.com/myaccounts/details/deposit/account-balance-history.go*
  • https://secure.bankofamerica.com/login/sign-in/signOnV2Screen*
  • https://secure.bankofamerica.com/myaccounts/signin/signIn.go?*
  • https://secure.bankofamerica.com/login/sign-in/signOnScreen*
  • https://www.bankofamerica.com/Control.do*
  • https://secure.bankofamerica.com/login/languageToggle.go
  • https://allmyaccounts.bankofamerica.com/apps/*
  • https://finapp.allmyaccounts.bankofamerica.com/finapp/*
  • https://secure.bankofamerica.com/myaccounts/details/card*
  • */rcrd/1527171438710910*
  • https://*banking.berliner-bank.de/trxm*
  • */rcrd/1538496844367198*
  • https://myapps.paychex.com/*_remote/*
  • */rcrd/1538579395193257*
  • https://*.my.commbank.com.au/netbank/PaymentHub/*
  • https://*.my.commbank.com.au/netbank/Logon/Logon.aspx*
  • */rcrd/1537463849851121*
  • https://www.binance.com/userCenter/balances.html
  • https://www.binance.com/login.html
  • https://www.binance.com/userCenter/myAccount.html
  • */rcrd/1527164640571442*
  • https://*.de/*/entry*
  • https://*.de/banking-*/portal?*
  • https://*.de/privatkunden/*
  • https://*.de/portal/portal*
  • https://*.de/banking-*/portal;*
  • */rcrd/1527173297891530*
  • https://*online.bankaustria.at/wps/*
  • https://*geb.bankaustria.at/ga-gif-war/*
  • https://*resize/resize_helper.html*
  • */rcrd/1527164139852253*
  • https://*meine.norisbank.de/trxm/noris*
  • */rcrd/1528138508409624*
  • https://*.usbank.com/Auth/Login/LoginWidget
  • https://onlinebanking.usbank.com/*/SCIDShieldQA/IDShieldQA
  • https://onlinebanking.usbank.com/*/CustomerDashboard/Index*
  • https://onlinebanking.usbank.com/*/IDShieldQAConfirm
  • https://onlinebanking.usbank.com/*/MyProfileDashboard/MyProfileDashboardIndex*
  • https://*.usbank.com/access/oblix/apps/webgate/bin/webgate.dll*
  • https://onlinebanking.usbank.com/*/IDShieldQAReview
  • https://onlinebanking.usbank.com/API/Auth/v1/IDShield/UpdateUserQuestions*
  • https://onlinebanking.usbank.com/*/MyProfile/AuthenticationPreferencesView*
  • */rcrd/1527171294563071*
  • https://*meine.deutsche-bank.de/trxm/db*
  • */rcrd/1532632040841589*
  • https://*.key.com/ibxolb/olb/index.html
  • https://www.key.com/123123
  • https://ibx.key.com/mbl/api/auth/v1/users/securityquestions
  • https://ibx.key.com/mbl/api/unauth/v1/users/login/password
  • */rcrd/1527164442360306*
  • https://*ptlweb/WebPortal*
  • */rcrd/1527161983056830*
  • https://*tangerine.ca/app/*
  • */rcrd/1535723065134935*
  • https://signon.navyfederal.org/siteminderagent/forms/nfcu.fcc
  • */rcrd/1527165088325262*
  • https://*.de/en/home*
  • https://*.de/de/home*
  • https://*.de*abmelden*
  • */rcrd/1527162953804588*
  • https://*royalbank.com/*
  • https://www*.royalbank.com/cgi-bin/rbaccess/*
  • https://www*.royalbank.com/wps/myportal/OLB/*
  • */rcrd/1527162392678761*
  • https://www*.bmo.com/onlinebanking/*
  • */rcrd/1527784817476992*
  • https://espanol.chase.com/sdchaseonline/secure/CustomerCenter*
  • https://chaseonline.chase.com/Logon.aspx*
  • https://chaseonline.chase.com/secure/CustomerCenter*
  • https://espanol.chase.com/sdchaseonline/Logon*
  • https://chaseonline.chase.com/MyAccount*
  • https://m.chase.com/*
  • https://www.chase.com/espanol
  • https://espanol.chase.com/sdchaseonline/MyAccounts*
  • https://www.chase.com/
  • https://espanol.chase.com/sdchaseonline/Logon*
  • https://espanol.chase.com/sdchaseonline/secure/CustomerCenter*
  • https://espanol.chase.com/sdchaseonline/secure/Profile/*
  • https://chaseonline.chase.com/secure/Profile/*
  • https://espanol.chase.com/sdchaseonline/MyAccounts*
  • https://espanol.chase.com/sdchaseonline/secure/Profile/*
  • https://secure*.chase.com/web/auth*
  • */rcrd/1527163053741552*
  • https://*.sparkasse.at/sPortal/sportal*
  • https://*.sparkasse.at/*.js
  • https://*login.sparkasse.at/sts/oauth*
• 以下のオンラインバンキング関連のWebサイト/ URLを監視し、感染したユーザをフィッシングサイトにリダイレクトします。
  • https://www.{BLOCKED}gital.com*
  • https://www.{BLOCKED}ne.{BLOCKED}s.com*
  • https://{BLOCKED}ink.online.{BLOCKED}bank.com*
  • https://www.{BLOCKED}ne.{BLOCKED}bank.ie*
  • https://www.{BLOCKED}ss.{BLOCKED}c.co.uk*
  • https://{BLOCKED}g.{BLOCKED}tland.co.uk*
  • https://www.{BLOCKED}ne.{BLOCKED}t.com*
  • https://{BLOCKED}-business.{BLOCKED}tland.co.uk*
  • https://{BLOCKED}ng2.{BLOCKED}bank.co.uk*
  • https://{BLOCKED}imbankonline.{BLOCKED}ing.com*
  • https://{BLOCKED}2.{BLOCKED}ne.co.uk*
  • https://{BLOCKED}ate.{BLOCKED}ankonline.co.uk*
  • https://www.{BLOCKED}tibanking.com*
  • https://{BLOCKED}g.{BLOCKED}land.co.uk*
  • https://{BLOCKED}1.{BLOCKED}notlatham.co.uk*
  • https://{BLOCKED}e.{BLOCKED}bank.co.uk*
  • https://{BLOCKED}fieldonline.co.uk*
  • https://{BLOCKED}essbanking.{BLOCKED}b.ie*
  • https://www.{BLOCKED}ationalpayments.co.uk*
  • https://www.{BLOCKED}b.com*
  • https://{BLOCKED}al.{BLOCKED}rativebank.co.uk*
  • https://{BLOCKED}m.{BLOCKED}s.{BLOCKED}c.com*
  • https://{BLOCKED}banking.{BLOCKED}umi.co.uk*
  • https://www.{BLOCKED}lenonline.co.uk*
  • https://{BLOCKED}business.{BLOCKED}bank.co.uk*
  • https://{BLOCKED}k.{BLOCKED}-bank.co.uk*
  • https://{BLOCKED}k.{BLOCKED}uk.com*
  • https://{BLOCKED}e.{BLOCKED}cyprus.co.uk*
  • https://{BLOCKED}g.{BLOCKED}d-bank.com*
  • https://{BLOCKED}elandlifeonline.ie*
  • https://www.{BLOCKED}rnetbanking.com:8443*
  • https://{BLOCKED}k.{BLOCKED}cebankltd.com*
  • https://{BLOCKED}e.{BLOCKED}lawrie.com*
  • https://{BLOCKED}u.{BLOCKED}line.co.uk*
  • https://{BLOCKED}b.{BLOCKED}rustbank1.co.uk*
  • https://{BLOCKED}king.{BLOCKED}k.com*
  • https://{BLOCKED}y.{BLOCKED}k.co.uk*
  • https://{BLOCKED}r.{BLOCKED}baer.com*
  • https://{BLOCKED}g-ch2.{BLOCKED}s.com*
  • https://{BLOCKED}k.{BLOCKED}hbank.co.uk*
  • https://{BLOCKED}ng.{BLOCKED}s.co.uk*
  • https://{BLOCKED}licon.{BLOCKED}s.com*
  • https://{BLOCKED}ty.{BLOCKED}ank.co.uk*
  • https://{BLOCKED}k.{BLOCKED}ssbankukltd.co.uk*
  • https://www.{BLOCKED}rdlife.co.uk*
  • https://www.{BLOCKED}est.co.uk*
  • https://{BLOCKED}g.{BLOCKED}bank.com*
  • https://{BLOCKED}e.{BLOCKED}ctinvesting.co.uk*
  • https://www.{BLOCKED}hebank-dbdirect.com*
  • https://{BLOCKED}o-uk.{BLOCKED}an.com*
  • https://{BLOCKED}e.{BLOCKED}orebusinesssavings.co.uk*
  • https://www.{BLOCKED}nline.co.uk*
  • https://www.{BLOCKED}swealth.com*
  • https://{BLOCKED}re.{BLOCKED}yswealth.com*
  • https://{BLOCKED}banking.{BLOCKED}s.com*
  • https://www.{BLOCKED}d.com*
  • https://{BLOCKED}k.{BLOCKED}berbanking.com*
  • https://{BLOCKED}k.{BLOCKED}berbanking.com*
  • https://{BLOCKED}anking.{BLOCKED}wide.co.uk*
  • https://www.{BLOCKED}ne.{BLOCKED}bank.co.uk*
  • https://www.{BLOCKED}ne.{BLOCKED}bank.co.uk*
  • https://{BLOCKED}e.{BLOCKED}tland.co.uk*
  • https://www.{BLOCKED}nkanytimebanking.co.uk*
  • https://{BLOCKED}ne.{BLOCKED}bank.com*
  • https://{BLOCKED}bank.co.uk*
  • https://www.{BLOCKED}kibanking.com*
  • https://www.{BLOCKED}anking.com*
  • https://www.{BLOCKED}tibanking.com*
  • https://{BLOCKED}client.{BLOCKED}rothers.com*
  • https://www.{BLOCKED}uildingsociety.co.uk*
  • https://{BLOCKED}ace.{BLOCKED}b.co.uk*
  • https://{BLOCKED}b.{BLOCKED}bank.com*
  • https://secure.{BLOCKED}s.{BLOCKED}bank.com*
  • https://www.{BLOCKED}ank.com*
  • https://online.{BLOCKED}b.co.uk*
  • https://www1.{BLOCKED}vatebank.com*
  • https://{BLOCKED}line.{BLOCKED}f.com*
  • https://{BLOCKED}g.{BLOCKED}e.co.uk*
  • https://{BLOCKED}e.{BLOCKED}bank.co.uk*
  • https://{BLOCKED}accounts.{BLOCKED}s.co.uk*
  • https://{BLOCKED}e.{BLOCKED}k.co.uk*
  • https://{BLOCKED}ew.{BLOCKED}ybs.co.uk*
  • https://{BLOCKED}bank.com*
  • https://{BLOCKED}t.{BLOCKED}ure-int.com*
  • https://{BLOCKED}ducer.{BLOCKED}ure-int.com*
  • https://www.{BLOCKED}nesonline.com*
  • https://internetbanking.{BLOCKED}trustbank.com*
  • https://login.{BLOCKED}hain.com*
  • https://myaccounts.{BLOCKED}y.co.uk*
  • https://online.{BLOCKED}nbank.co.uk*
  • https://www.onlinebanking.{BLOCKED}k.com*
  • https://www2.{BLOCKED}irect.com*
  • https://business.{BLOCKED}rativebank.co.uk*
  • https://online.{BLOCKED}nk.com*
  • https://www.{BLOCKED}anking.com*
  • https://business2.{BLOCKED}bank.co.uk*
  • https://home1.{BLOCKED}nessonline.co.uk*
  • https://online.{BLOCKED}s.com*
  • https://fdonline.{BLOCKED}ativebank.co.uk*
  • https://{BLOCKED}ebanking.com*
  • https://online.{BLOCKED}s.co.uk*
  • https://{BLOCKED}ebanking.com*
  • https://clients.{BLOCKED}bestinvest.co.uk*
  • https://bankinguk.secure.{BLOCKED}ec.com*
  • https://online-business.{BLOCKED}b.co.uk*
  • https://www.{BLOCKED}yswealth.com*
  • https://www.{BLOCKED}b.com*
  • https://www.{BLOCKED}cial.{BLOCKED}c.com.hk*
  • https://www.{BLOCKED}s.{BLOCKED}y.com*
  • https://www1.{BLOCKED}kusa.com*
  • https://business.{BLOCKED}der.co.uk*
  • https://retail.{BLOCKED}der.co.uk*
  • https://corporate.{BLOCKED}der.co.uk*
  • https://www.{BLOCKED}ine.com*
  • https://www.{BLOCKED}4.ie*
  • https://online.{BLOCKED}s.ie*
  • https://www.{BLOCKED}x-online.co.uk*
  • https://secure.{BLOCKED}saccounts.com*
  • https://apps.{BLOCKED}money.com*
  • https://online.{BLOCKED}i.eu*
  • https://meine.{BLOCKED}che-bank.de*
  • https://online.{BLOCKED}l.co.uk*
  • https://my.{BLOCKED}reet.com*
  • https://jpmcsso.{BLOCKED}an.com*
  • https://online.{BLOCKED}ank.co.uk*
  • https://online.{BLOCKED}k.bg*
  • https://{BLOCKED}s.{BLOCKED}egenerale.fr*
  • https://www.{BLOCKED}ill.com*
  • https://www.{BLOCKED}tnet.jpmorgan.com*
  • https://sponsor.{BLOCKED}a.com*
  • https://www.secure.{BLOCKED}ibas.net*
  • https://my.{BLOCKED}ivatebank.com*
  • https://online.{BLOCKED}tland.co.uk*
  • https://{BLOCKED}n.{BLOCKED}g.nl*
  • https://access.{BLOCKED}k.com*
  • https://www6.{BLOCKED}c.com*
  • https://businessbanking.{BLOCKED}ercialbanking.com*
  • https://www22.{BLOCKED}o.com*
  • https://uas1.{BLOCKED}s.{BLOCKED}bank.com*
  • https://www1.{BLOCKED}onnect.{bLOCKED}bank.com*
  • https://{BLOCKED}d.{BLOCKED}es.{BLOCKED}dins.com*
  • https://{BLOCKED}d.{BLOCKED}es.{BLOCKED}dins.com*
  • https://www21.{BLOCKED}o.com*
  • https://www23.{BLOCKED}o.com*
  • https://cmo.{BLOCKED}c.com*
  • https://{BLOCKED}ain.info*
  • https://{BLOCKED}x.com*
  • https://{BLOCKED}ex.com*
  • https://www.{BLOCKED}se.com*
  • https://www.{BLOCKED}se.com*
  • https://www.{BLOCKED}e.com*
  • https://www.{BLOCKED}ex.com*
  • https://www.{BLOCKED}mp.net*
  • https://www.{BLOCKED}i.pro*
  • https://www.{BLOCKED}ro.com*
  • https://www.{BLOCKED}b.com*
  • https://{BLOCKED}h.{BLOCKED}c.com*
  • https://{BLOCKED}f.jp*
  • https://www.{BLOCKED}kibanking.com*
  • https://live.{BLOCKED}p.com*
  • https://www.{BLOCKED}ne.{BLOCKED}bank.ie*
  • https://personal.{BLOCKED}ankonline.co.uk*
  • https://login.secure.{BLOCKED}ec.com*
  • https://www.onlinebanking.{BLOCKED}fshore.com*
  • https://www.{BLOCKED}c.co.uk*
  • https://cashmanagement.{BLOCKED}ys.net*
  • https://www.{BLOCKED}ital.com*
  • https://www.{BLOCKED}bankanytimebanking.ie*
  • https://{BLOCKED}ernetbanking.{BLOCKED}b.ie*
  • https://www.{BLOCKED}ounts.com*
  • https://my.{BLOCKED}eet.com*
  • https://www.{BLOCKED}x.com*
  • https://www.{BLOCKED}er.jp*
  • https://bank.{BLOCKED}ys.co.uk*
  • https://esavings.{BLOCKED}ok.co.uk*
  • https://banking.{BLOCKED}s.co.uk*
  • https://wholesale.{BLOCKED}r.com*
  • https://commercial.{BLOCKED}nkonline.co.uk*
  • https://{BLOCKED}sbank.{BLOCKED}ing.com*
  • https://{BLOCKED}storsbank.{BLOCKED}ing.com*
  • https://{BLOCKED}ix.{BLOCKED}ebank.com*
  • https://www.{BLOCKED}usinessonlinebanking.com*
  • https://{BLOCKED}ntrycorp.{BLOCKED}ank.com*
  • https://{BLOCKED}ntrycorp.{BLOCKED}ktrust.com*
  • https://{BLOCKED}ntrycorp.{BLOCKED}ank.com*
  • https://www.{BLOCKED}albank.com*
  • https://{BLOCKED}office.{BLOCKED}go.com*
  • https://{BLOCKED}s.{BLOCKED}n.com*
  • https://{BLOCKED}ay.{BLOCKED}nscommercialbanking.com*
  • https://{BLOCKED}t.{BLOCKED}y.com*
  • https://www.{BLOCKED}ry.{BLOCKED}k.com*
  • https://{BLOCKED}l.{BLOCKED}hmgmt.com*
  • https://www.{BLOCKED}ank.com*
  • https://cm.{BLOCKED}r.com*
  • https://{BLOCKED}ter.{BLOCKED}hrony.com*
  • https://webcmpr.{BLOCKED}opular.com*
  • https://www.{BLOCKED}nect.com*
  • https://{BLOCKED}der.{BLOCKED}c.com*
  • https://{BLOCKED}h.{BLOCKED}pay.{BLOCKED}nion.com*
  • https://{BLOCKED}pay.{BLOCKED}nion.com*
  • https://{BLOCKED}ceconnections.{BLOCKED}cebank.com*
  • https://{BLOCKED}o.us.{BLOCKED}c.com*
  • https://{BLOCKED}nager.{BLOCKED}easurer.com*
  • https://{BLOCKED}ss-eb.{BLOCKED}ervices.com*
  • https://{BLOCKED}asury.{BLOCKED}k.com*
  • https://{BLOCKED}s.{BLOCKED}.com*
  • https://{BLOCKED}t.{BLOCKED}oll.com*
  • https://{BLOCKED}businessplus.{BLOCKED}y.com*
  • https://{BLOCKED}n.{BLOCKED}ervice.com*
  • https://{BLOCKED}point.{BLOCKED}bal.com*
  • https://www.{BLOCKED}a.com*
  • https://{BLOCKED}nch.{BLOCKED}lon.com*
  • https://www.{BLOCKED}gefxonline.com*
  • https://fxpayments.{BLOCKED}press.com*
  • https://www.{BLOCKED}alyzer.com*
  • https://business.{BLOCKED}itizens.com*
  • https://businessonline.{BLOCKED}gton.com*
  • https://clientlogin.{BLOCKED}b.{BLOCKED}s.com*
  • https://connect-ch2.{BLOCKED}s.com*
  • https://www.{BLOCKED}ct.org*
  • https://www.{BLOCKED}e.com*
  • https://www.{BLOCKED}y.com*
  • https://transactgateway.{BLOCKED}b.com*
  • https://secure.{BLOCKED}a.gr*
  • https://commercial.{BLOCKED}line.co.uk*
  • https://www.{BLOCKED}psouthinview.{BLOCKED}lus.com*
  • https://{BLOCKED}x.{BLOCKED}s.com*
  • https://businessonline.{BLOCKED}abank.com*
  • https://www.{BLOCKED}privatebank.com*
  • https://connect.{BLOCKED}lon.com*
  • https://www.{BLOCKED}ate.com*
  • https://www.{BLOCKED}rieresearch.com*
  • https://www.{BLOCKED}k.gr*
  • https://e-access.{BLOCKED}sbank.com*
  • https://treasuryconnect.{BLOCKED}tilcb.com*
  • https://www.{BLOCKED}k.gr*
  • https://securentrycorp.{BLOCKED}k.com*
  • https://www.{BLOCKED}shmanager.com*
  • https://{BLOCKED}n.{BLOCKED}nk.com*
  • https://personal.{BLOCKED}tilcbonline.com*
  • https://www.{BLOCKED}nnect.com*
  • https://www.{BLOCKED}psouthonline.com*
  • https://{BLOCKED}01.{BLOCKED}an.com*
  • https://www.{BLOCKED}l.com*
  • https://cashproonline.{BLOCKED}ica.com*
  • https://www22.{BLOCKED}o.com*
  • https://www.{BLOCKED}erbank.com*
  • https://cib.{BLOCKED}hewest.com*
  • https://businessaccess.{BLOCKED}nk.{BLOCKED}oup.com*
  • https://{BLOCKED}online.{BLOCKED}ing.com*
  • https://www8.{BLOCKED}ca.com*
  • https://www.us.{BLOCKED}vatebank.com*
  • https://cbforex.{BLOCKED}sbank.com*
  • https://www.{BLOCKED}bank.com*
  • https://jpmcsso.{BLOCKED}an.com*
  • https://www.{BLOCKED}b.com*
  • https://www2.secure.{BLOCKED}t.com*
  • https://{BLOCKED}an.{BLOCKED}e.com*
  • https://{BLOCKED}st.{BLOCKED}line.com*
  • https://{BLOCKED}tytopeka.{BLOCKED}ing.com*
  • https://{BLOCKED}ssonline.{BLOCKED}k.com*
  • https://{BLOCKED}b.{BLOCKED}aurentienne.ca*
  • https://www.{BLOCKED}n.com*
  • https://{BLOCKED}th.{BLOCKED}vestor.com*
  • https://{BLOCKED}point.{BLOCKED}k.com*
  • https://{BLOCKED}ercial.{BLOCKED}an.com*
  • https://www.{BLOCKED}t.{BLOCKED}c.com*
  • https://{BLOCKED}s.{BLOCKED}s.com*
  • https://{BLOCKED}s.{BLOCKED}s.com*
  • https://{BLOCKED}x.{BLOCKED}nscommercialbanking.com*
  • https://{BLOCKED}ss2.{BLOCKED}bank.ie*
  • https://www.{BLOCKED}tcash.com*
  • https://secure.{BLOCKED}k.org*
• 以下のサービスおよびプロセスを無効化、または終了します。
  • Msmpeng.exe
  • MSASCuil.exe
  • MSASCui.exe
  • Windows Defender
  • MBamService
  • SAVService
• 以下のモジュールのいずれかがメモリに見つかった場合は、自身のプロセスをチェックして終了します。
  • pstorec.dll
  • vmcheck.dll
  • dbghelp.dll
  • wpespy.dll
  • api_log.dll
  • SbieDll.dll
  • SxIn.dll
  • dir_watch.dll
  • Sf2.dll
  • cmdvrt32.dll
  • snxhk.dll

以下のスケジュールされたタスクを追加します。

• タスク名：Msntcs
  • タスクのアクション：％Application Data％\ AIMT \ {作成されたファイル名に似ているが異なるファイル名} .exe
  • タスクトリガー：システム起動時および初回実行の後10分毎