Technical Information
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'Agobyz' = '%APPDATA%\Roaming\Metu\agobyz.exe'
- '%APPDATA%\Roaming\Metu\agobyz.exe'
- '<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<SYSTEM32>\taskhost.exe"
- '<SYSTEM32>\wermgr.exe' -queuereporting
- <SYSTEM32>\cmd.exe
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\cuvonprlflcuembylfeudmmbbqeu_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ibuodeucuuslpnzkbddprkv_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hvclzemvmbpxwsfmnjtovlfy_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xcqozhycuduzxxxknheymn_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dirwuwojrsljzfihlthmguifvkxo_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tcdeydymjkbfalfovydgqdeybiv_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\uwcevstghupfnzeigextvgyt_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\yabebmtkwckswhmvrocuvkmnbi_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ortmforkvlrmbmzdhnrei_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\buyhsctlvduljzmrwiirtkbukb_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mzfeztzhfegqqsthypjbgxh_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\eqsorckbnftvgjrntuyttcpjv_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dufqxsorvwuxpmvifuwjfqsgyvw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fadekjnbohqxgbmhinzzkngqukpnvc_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kvqswkugyxlnzcmtslbvgxpifnfq_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\irymfmntoxwytxlxwhahmnfofkn_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\gavcwsmzpbaditvmrvwqcprs_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xpkvbithoribxshzdsohpx_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xgxkbivlrkntosogezgexijknjbx_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dfeucxrceijzzlqwwcxpthyif_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\giadanrkfmfphmrszlmzmzijhuw_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zukxkpqwsoaiypcqdebbmnga_ru[1]
- <LS_APPDATA>\Microsoft\Windows Mail\edb.log
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.pat
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Sent Items\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Outbox\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\tmp.edb
- %APPDATA%\Roaming\Metu\agobyz.exe
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore
- <LS_APPDATA>\Microsoft\Windows Mail\Backup\temp\edb00002.log
- <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Deleted Items\winmail.fol
- %TEMP%\TarDF28.tmp
- %TEMP%\CabDF27.tmp
- %TEMP%\ppcrlui_3024_2
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hyxlruogehpbytealbqlvsus_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zxhukzxmwobepzitreaud_net[1]
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Junk E-mail\winmail.fol
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Drafts\winmail.fol
- %TEMP%\FPIBD63.bat
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\51CD027E-00000001.eml:OECustomProperty
- <LS_APPDATA>\Microsoft\Windows Mail\Local Folders\Inbox\51CD027E-00000001.eml
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xpkvbithoribxshzdsohpx_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\gavcwsmzpbaditvmrvwqcprs_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xgxkbivlrkntosogezgexijknjbx_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dirwuwojrsljzfihlthmguifvkxo_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\xcqozhycuduzxxxknheymn_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\mzfeztzhfegqqsthypjbgxh_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\giadanrkfmfphmrszlmzmzijhuw_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\fadekjnbohqxgbmhinzzkngqukpnvc_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\irymfmntoxwytxlxwhahmnfofkn_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\kvqswkugyxlnzcmtslbvgxpifnfq_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dfeucxrceijzzlqwwcxpthyif_biz[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\dufqxsorvwuxpmvifuwjfqsgyvw_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\eqsorckbnftvgjrntuyttcpjv_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hyxlruogehpbytealbqlvsus_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zukxkpqwsoaiypcqdebbmnga_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\uwcevstghupfnzeigextvgyt_biz[1]
- %TEMP%\CabDF27.tmp
- %TEMP%\TarDF28.tmp
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\zxhukzxmwobepzitreaud_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\tcdeydymjkbfalfovydgqdeybiv_net[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ibuodeucuuslpnzkbddprkv_ru[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\cuvonprlflcuembylfeudmmbbqeu_com[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\hvclzemvmbpxwsfmnjtovlfy_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\yabebmtkwckswhmvrocuvkmnbi_org[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\buyhsctlvduljzmrwiirtkbukb_info[1]
- <LS_APPDATA>\Microsoft\Windows\Temporary Internet Files\Content.IE5\6P5SDOMI\ortmforkvlrmbmzdhnrei_com[1]
- from <LS_APPDATA>\Microsoft\Windows Mail\edbtmp.log to <LS_APPDATA>\Microsoft\Windows Mail\edb.log
- 'xp######oribxshzdsohpx.ru':80
- 'ga#######baditvmrvwqcprs.com':80
- 'xg########ntosogezgexijknjbx.net':80
- 'di########ljzfihlthmguifvkxo.org':80
- 'xc######uduzxxxknheymn.net':80
- 'mz######fegqqsthypjbgxh.biz':80
- 'gi#######mfphmrszlmzmzijhuw.org':80
- 'fa########qxgbmhinzzkngqukpnvc.com':80
- 'ir########wytxlxwhahmnfofkn.info':80
- 'kv########lnzcmtslbvgxpifnfq.biz':80
- 'df#######ijzzlqwwcxpthyif.biz':80
- 'du#######wuxpmvifuwjfqsgyvw.com':80
- 'eq#######ftvgjrntuyttcpjv.ru':80
- 'hy#######hpbytealbqlvsus.com':80
- 'zu######soaiypcqdebbmnga.ru':80
- 'uw#######upfnzeigextvgyt.biz':80
- '74.##5.232.51':80
- 'www.bing.com':80
- 'zx######wobepzitreaud.net':80
- 'tc#######kbfalfovydgqdeybiv.net':80
- 'ib######uuslpnzkbddprkv.ru':80
- 'cu########cuembylfeudmmbbqeu.com':80
- 'hv#######bpxwsfmnjtovlfy.info':80
- 'ya#######ckswhmvrocuvkmnbi.org':80
- 'bu#######duljzmrwiirtkbukb.info':80
- 'or######vlrmbmzdhnrei.com':80
- xp######oribxshzdsohpx.ru/
- ga#######baditvmrvwqcprs.com/
- xg########ntosogezgexijknjbx.net/
- di########ljzfihlthmguifvkxo.org/
- xc######uduzxxxknheymn.net/
- mz######fegqqsthypjbgxh.biz/
- gi#######mfphmrszlmzmzijhuw.org/
- fa########qxgbmhinzzkngqukpnvc.com/
- ir########wytxlxwhahmnfofkn.info/
- kv########lnzcmtslbvgxpifnfq.biz/
- df#######ijzzlqwwcxpthyif.biz/
- du#######wuxpmvifuwjfqsgyvw.com/
- eq#######ftvgjrntuyttcpjv.ru/
- hy#######hpbytealbqlvsus.com/
- zu######soaiypcqdebbmnga.ru/
- uw#######upfnzeigextvgyt.biz/
- 74.##5.232.51/
- www.bing.com/
- zx######wobepzitreaud.net/
- tc#######kbfalfovydgqdeybiv.net/
- ib######uuslpnzkbddprkv.ru/
- cu########cuembylfeudmmbbqeu.com/
- hv#######bpxwsfmnjtovlfy.info/
- ya#######ckswhmvrocuvkmnbi.org/
- bu#######duljzmrwiirtkbukb.info/
- or######vlrmbmzdhnrei.com/
- DNS ASK cu########cuembylfeudmmbbqeu.com
- DNS ASK ib######uuslpnzkbddprkv.ru
- DNS ASK or######vlrmbmzdhnrei.com
- DNS ASK xc######uduzxxxknheymn.net
- DNS ASK di########ljzfihlthmguifvkxo.org
- DNS ASK hv#######bpxwsfmnjtovlfy.info
- DNS ASK uw#######upfnzeigextvgyt.biz
- DNS ASK zu######soaiypcqdebbmnga.ru
- DNS ASK hy#######hpbytealbqlvsus.com
- DNS ASK bu#######duljzmrwiirtkbukb.info
- DNS ASK ya#######ckswhmvrocuvkmnbi.org
- DNS ASK tc#######kbfalfovydgqdeybiv.net
- DNS ASK fa########qxgbmhinzzkngqukpnvc.com
- DNS ASK eq#######ftvgjrntuyttcpjv.ru
- DNS ASK du#######wuxpmvifuwjfqsgyvw.com
- DNS ASK jr#######uaxthtsdqlrqcqnvqk.net
- DNS ASK kv########lnzcmtslbvgxpifnfq.biz
- DNS ASK ir########wytxlxwhahmnfofkn.info
- DNS ASK ga#######baditvmrvwqcprs.com
- DNS ASK xp######oribxshzdsohpx.ru
- DNS ASK mz######fegqqsthypjbgxh.biz
- DNS ASK df#######ijzzlqwwcxpthyif.biz
- DNS ASK gi#######mfphmrszlmzmzijhuw.org
- DNS ASK xg########ntosogezgexijknjbx.net
- DNS ASK download.windowsupdate.com
- DNS ASK zx######wobepzitreaud.net
- DNS ASK dn#.##ftncsi.com
- DNS ASK crl.microsoft.com
- DNS ASK www.google.com
- DNS ASK www.bing.com
- '90.##6.118.144':2081
- '12#.#0.12.36':5916
- '1.#.203.31':9834
- '10#.#93.194.29':7057
- '76.##6.114.217':1684
- '10#.#17.117.139':8593
- '18#.#42.106.74':4510
- '20#.#09.207.224':5689
- '19#.#02.83.105':16419
- '10#.#34.133.110':8387
- '12#.#38.67.140':4636
- '2.##.193.124':20241
- '87.##.153.107':17377
- '2.##.29.30':29754
- '18#.#47.156.110':15936
- '10#.#93.222.108':3981
- '66.##.204.26':24382
- '31.#46.14.8':23166
- '10#.#4.172.39':3059
- '84.#9.131.0':7605
- ClassName: 'OutlookExpressHiddenWindow' WindowName: '(null)'
- ClassName: 'Indicator' WindowName: '(null)'