Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Ejwae' = '%APPDATA%\Roaming\Uwazb\ejwae.exe'
- '%APPDATA%\Roaming\Uwazb\ejwae.exe'
- '<SYSTEM32>\wermgr.exe' -queuereporting
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "%WINDIR%\explorer.exe"
- <SYSTEM32>\wermgr.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\huheyxkydfilfibinxktxkfjrrsh_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tqktyhamvkqwnjlxkcqwgvseq_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mrtgzhhmwbuvshjvdqoronpkrl_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kfobddlneuwktscaeyzhfiu_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\lgafykphyuwizpzdaqnvtmntt_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fqdamxbyhmhybamfdayonaidexogy_com[1]
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tbiqkfqbqozirhuwkeuswgbmtg_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\uodpnushaxkjgambdsonrxcmjcav_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\edaxsvswghircdqaiamfqcmmbqk_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ozshnfdqtmnypdibehtnrlzbyn_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hlemnzjfjbltgknbevstceasgi_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\qpxyzlzhvkmvmmbhpyxgaof_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hyldysgcmljyxcvobtircslrr_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ytzlvwovctthihuqcjbthaqg_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xsauvwqcortcqxlzdukpsgjbhw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\yppwseihajbduzhxknofgmpzlr_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hknkzmrmntgtdmnzmjemjzjbzph_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fadabijvmjphgiuodupjwdy_ru[1]
- <LS_APPDATA>Low\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\edb.log
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
- <LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
- %APPDATA%\Roaming\Uwazb\ejwae.exe
- <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
- %TEMP%\Cab4BAF.tmp
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\2A28363A-00000001.eml:OECustomProperty
- %TEMP%\ppcrlui_4032_2
- %TEMP%\Tar4BC0.tmp
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\2A28363A-00000001.eml
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
- %TEMP%\tmpc77b75e6.bat
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fadabijvmjphgiuodupjwdy_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hknkzmrmntgtdmnzmjemjzjbzph_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xsauvwqcortcqxlzdukpsgjbhw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\edaxsvswghircdqaiamfqcmmbqk_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\yppwseihajbduzhxknofgmpzlr_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hyldysgcmljyxcvobtircslrr_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\qpxyzlzhvkmvmmbhpyxgaof_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ozshnfdqtmnypdibehtnrlzbyn_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ytzlvwovctthihuqcjbthaqg_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hlemnzjfjbltgknbevstceasgi_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\uodpnushaxkjgambdsonrxcmjcav_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tbiqkfqbqozirhuwkeuswgbmtg_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fqdamxbyhmhybamfdayonaidexogy_com[1]
- %TEMP%\Cab4BAF.tmp
- %TEMP%\Tar4BC0.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kfobddlneuwktscaeyzhfiu_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mrtgzhhmwbuvshjvdqoronpkrl_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\huheyxkydfilfibinxktxkfjrrsh_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\lgafykphyuwizpzdaqnvtmntt_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tqktyhamvkqwnjlxkcqwgvseq_com[1]
- from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log
- 'fa######mjphgiuodupjwdy.ru':80
- 'hk#######tgtdmnzmjemjzjbzph.com':80
- 'xs#######rtcqxlzdukpsgjbhw.com':80
- 'ed#######hircdqaiamfqcmmbqk.org':80
- 'yp#######jbduzhxknofgmpzlr.info':80
- 'hy#######ljyxcvobtircslrr.biz':80
- 'qp######vkmvmmbhpyxgaof.ru':80
- 'oz#######mnypdibehtnrlzbyn.net':80
- 'yt#######tthihuqcjbthaqg.info':80
- 'hl#######bltgknbevstceasgi.org':80
- 'mr#######buvshjvdqoronpkrl.net':80
- 'fq########hybamfdayonaidexogy.com':80
- 'uo########kjgambdsonrxcmjcav.biz':80
- 'www.bing.com':80
- '20#.#6.232.182':80
- '74.##5.232.51':80
- 'hu#######filfibinxktxkfjrrsh.ru':80
- 'kf######euwktscaeyzhfiu.biz':80
- 'tq#######kqwnjlxkcqwgvseq.com':80
- 'tb#######ozirhuwkeuswgbmtg.org':80
- 'lg#######uwizpzdaqnvtmntt.net':80
- fa######mjphgiuodupjwdy.ru/
- hk#######tgtdmnzmjemjzjbzph.com/
- xs#######rtcqxlzdukpsgjbhw.com/
- ed#######hircdqaiamfqcmmbqk.org/
- yp#######jbduzhxknofgmpzlr.info/
- hy#######ljyxcvobtircslrr.biz/
- qp######vkmvmmbhpyxgaof.ru/
- oz#######mnypdibehtnrlzbyn.net/
- yt#######tthihuqcjbthaqg.info/
- hl#######bltgknbevstceasgi.org/
- mr#######buvshjvdqoronpkrl.net/
- fq########hybamfdayonaidexogy.com/
- uo########kjgambdsonrxcmjcav.biz/
- www.bing.com/
- 20#.#6.232.182/pki/crl/products/CodeSignPCA.crl
- 74.##5.232.51/
- hu#######filfibinxktxkfjrrsh.ru/
- kf######euwktscaeyzhfiu.biz/
- tq#######kqwnjlxkcqwgvseq.com/
- tb#######ozirhuwkeuswgbmtg.org/
- lg#######uwizpzdaqnvtmntt.net/
- DNS ASK tq#######kqwnjlxkcqwgvseq.com
- DNS ASK lg#######uwizpzdaqnvtmntt.net
- DNS ASK hu#######filfibinxktxkfjrrsh.ru
- DNS ASK mr#######buvshjvdqoronpkrl.net
- DNS ASK kf######euwktscaeyzhfiu.biz
- DNS ASK www.bing.com
- DNS ASK sg#######mzlnvgfezlzuokv.com
- DNS ASK fq########hybamfdayonaidexogy.com
- DNS ASK tb#######ozirhuwkeuswgbmtg.org
- DNS ASK uo########kjgambdsonrxcmjcav.biz
- DNS ASK hl#######bltgknbevstceasgi.org
- DNS ASK yt#######tthihuqcjbthaqg.info
- DNS ASK oz#######mnypdibehtnrlzbyn.net
- DNS ASK qp######vkmvmmbhpyxgaof.ru
- DNS ASK hy#######ljyxcvobtircslrr.biz
- DNS ASK yp#######jbduzhxknofgmpzlr.info
- DNS ASK ed#######hircdqaiamfqcmmbqk.org
- DNS ASK xs#######rtcqxlzdukpsgjbhw.com
- DNS ASK hk#######tgtdmnzmjemjzjbzph.com
- DNS ASK fa######mjphgiuodupjwdy.ru
- DNS ASK crl.microsoft.com
- DNS ASK www.google.com
- '89.##2.155.200':10556
- '65.##.179.245':21463
- '95.##6.175.248':11922
- '19#.#2.113.168':22904
- '21#.#09.241.213':16882
- '18#.#3.99.34':10541
- '84.##.222.81':10378
- '99.##1.187.238':13162
- '81.##3.189.232':10880
- '18#.#41.97.79':13382
- '98.##1.143.22':19595
- '87.##2.133.133':20038
- '68.##.13.236':15057
- '49.##8.49.120':25022
- '19#.#69.125.228':29902
- '10#.#15.44.142':20626
- '67.#6.72.62':25886
- '14#.#36.161.103':14675
- '72.##9.187.249':19320
- ClassName: 'OutlookExpressHiddenWindow' WindowName: ''
- ClassName: 'Indicator' WindowName: ''