Analysis Date2018-02-17 08:48:10
MD5e79bdd1548d3299acfb68e7e7dc56235
SHA103ca3a94b062056155cc29110e79bd0911eef378

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
PEhash
AVArcabit (arcavir)Gen:Adware.Heur.wm3@RSTdBJki
AVAuthentiumNo Virus
AVGrisoft (avg)No Virus
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Adware.Heur.wm3@RSTdBJki
AVBitDefenderGen:Adware.Heur.wm3@RSTdBJki
AVBullGuardGen:Adware.Heur.wm3@RSTdBJki
AVClamAVError Scanning File
AVDr. WebAdware.Gator.444
AVEmsisoftGen:Adware.Heur.wm3@RSTdBJki
AVMicroWorld (escan)Gen:Adware.Heur.wm3@RSTdBJki
AVCA (E-Trust Ino)Error Scanning File
AVFortinetAdware/Gain
AVFrisk (f-prot)No Virus
AVF-SecureNo Virus
AVIkarusError Scanning File
AVK7Error Scanning File
AVKasperskyAdWare.Win32.Gator.fg
AVMalwareBytesAdware.Gator
AVMcafeeNo Virus
AVMicrosoft Security EssentialsNo Virus
AVNANOTrojan.Win32.CorruptedFile.bfalsp
AVNANOTrojan.Win32.Gator.dogjis
AVEset (nod32)Win32/Adware.Gator.Trickler.F
AVPadvishNo Virus
AVCAT (quickheal)PUA.Gator.S23068
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecSMG.Heur!gen
AVTrend MicroNo Virus
AVTwisterAdware.Gator.Trickler.F.ykzx
AVVirusBlokAda (vba32)Adware.Gator
AVWindows DefenderNo Virus
AVZillya!Adware.Gator.Win32.2

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202a.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202b.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202c.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202d.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202e.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202f.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202g.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202h.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202i.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202j.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202k.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202l.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202m.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202n.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202o.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202p.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202q.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202r.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202s.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202t.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202u.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202v.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202w.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Trickler ➝
"c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\AppPath ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Qwertyuio\Trickler\OldTrickler ➝
c:\users\thx1138\appdata\local\temp\03ca3a94b062056155cc29110e79bd0911eef378_3202x.exe 0

Process
↳ c:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates Filec:\Users\THX1138\AppData\Local\Temp\03ca3a94b062056155cc29110e79bd0911eef378_3202y.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C}\uets ➝
Óü{Eúr2

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings