Analysis Date2018-05-17 18:08:10
MD5c72c352c03ac17aa312319454c599a0c
SHA13cea30d94d3b4f42e7545d539e4a36df2d683dcf

Static Details:

AVArcabit (arcavir)Gen:Variant.Symmi.63010
AVAuthentiumW32/VB.AD.gen!Eldorado
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)VB-OJQ [Wrm]
AVAd-AwareGen:Variant.Symmi.63010
AVBitDefenderGen:Variant.Symmi.63010
AVBullGuardGen:Variant.Symmi.63010
AVClamAVWin.Trojan.Swisyn-70
AVDr. WebTrojan.Siggen3.5785
AVEmsisoftGen:Variant.Symmi.63010
AVMicroWorld (escan)Gen:Variant.Symmi.63010
AVCA (E-Trust Ino)Gen:Variant.Symmi.63010
AVFortinetW32/Swisyn.BNER!tr
AVFrisk (f-prot)W32/VB.AD.gen!Eldorado
AVF-SecureGen:Variant.Symmi.63010
AVIkarusTrojan.Win32.VB
AVK7Trojan ( 0040f0591 )
AVKasperskyTrojan.Win32.Swisyn.bugf
AVMalwareBytesBackdoor.Agent.Generic
AVMcafeeW32/Swisyn.ag
AVMicrosoft Security EssentialsTrojan:Win32/Msposer.A
AVNANOTrojan.Win32.VB.covkch
AVEset (nod32)Win32/Sality.NFN virus
AVPadvishTrojan.Win32.Swisyn.bugf
AVCAT (quickheal)TrojanDropper.Agent.AZ3
AVRisingTrojan.Win32.VBCode.fnk
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecW32.Gosys
AVTrend MicroPE_GOSYS.A-O
AVTwisterTrojan.C263C7C248080CB9
AVVirusBlokAda (vba32)MAS.Trojan.VB.01049
AVWindows DefenderTrojan:Win32/Msposer.A
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\3cea30d94d3b4f42e7545d539e4a36df2d683dcf.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF30BBFB7769CA79B0.TMP
Creates Filec:\Users\Phil\AppData\Local\Temp\3cea30d94d3b4f42e7545d539e4a36df2d683dcf.exe
Creates Filec:\Users\Phil\AppData\Local\Temp\3cea30d94d3b4f42e7545d539e4a36df2d683dcf.exe
Creates Filec:\Windows\system\explorer.exe
Creates Filec:\Users\Phil\AppData\Local\Temp\3cea30d94d3b4f42e7545d539e4a36df2d683dcf.exe
Creates Filec:\Windows\system\explorer.exe
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC14F0A5C87C7487F.TMP
Creates Filec:\Windows\system\explorer.exe
Creates Filec:\Windows\System32\drivers\spoolsv.exe
Creates Filec:\Windows\system\explorer.exe
Creates Filec:\Windows\System32\drivers\spoolsv.exe
Creates FileC:\Users\Phil\AppData\Roaming\mrsys.exe
Creates Filec:\Windows\system\explorer.exe
Creates FileC:\Users\Phil\AppData\Roaming\mrsys.exe
Creates Mutex
Creates Mutex
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer ➝
c:\windows\system\explorer.exe RO
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost ➝
c:\windows\system32\drivers\svchost.exe RO

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF2FC8347FDB0F4912.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA8CFF6213D8BECF5.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF1E9E7E6DE10AD23F.TMP

Process
↳ C:\Windows\explorer.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF8451BC08D89AE484.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF071A06179AC9F89C.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF7E2225C42052786C.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC7CC0543F8C82923.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6A6DE4A31B0B0E94.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF4CA71380C195E386.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFCDEACAC4FAB6F1C8.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF3FDBFFCD4D0C903B.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF27ECFF1BEDB86852.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB15B3A9CDD6278CA.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF572130640D5D2DB8.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDD06C0C74817CBE3.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF59F38DA73FBD6DE3.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFABB221432B9E7014.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6419E2D1D5FC088D.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC659E587F6ACB9E7.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFEB456B5565901174.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFCB2EE74ED0385DF8.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDF5839B9C8D6742F.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC5371A9C2FAB8550.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDB2D3E9BAA385519.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF373508642F86D5D4.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF72BE242965A68CE1.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF40D111478563B196.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB9EF7BDD0F44DEFF.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE2F8B1068942D5B0.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC26E5C33DDCBC5E6.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6EFD4ED2549B4E47.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF03378B2F16AC1203.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFEB6FD04DF89198EF.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF8A431EA233047347.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF8B31309973294DFA.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF79F6B0880706E736.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE846CECF920454AD.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB74FA13A6C0D79E4.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA325B7C9CB8AF358.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA9843A30D87649AE.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0001C6249E716F2A.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF4B18C77DC253F4F4.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFCC6A368B86C147F0.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFBB9C038D5CFD7130.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF38001859ADF44284.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF4832169C6053D1B6.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF51D41B7D2660718A.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB926EA99B249CFE9.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE2E43856FB8B6759.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFD50C50CB50BB649C.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6EA7BEA20ED33741.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF01EE5227B8C95AD6.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA9342CED09728931.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFBFE63F421461BE82.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF202BDB091E6A9A89.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF087ED6AD21B686D7.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF25FC62206A66FC5C.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA153B587FA51D3F5.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF2994D88A88B8531D.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF1EEF10B0E5101152.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFBE41134B8ADBCF92.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF563A2F3D3E48CAB3.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF759EBAD6A27BCC71.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF337EB941158E268E.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF1BF4D5DC544FC022.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF56ED8A5A1B69A6F5.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFAF49AF620423903F.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF9ED6AC37C8FDAB23.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF5A35FF814CDFFFA0.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFBE57998E0C5223E5.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB0D6AF8D074107CD.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE1CABCDF917D1646.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF318F1C42FD550C26.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFECEF3D27EA4BEEB4.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFAD1938757A16DDEB.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA999166A8251EA56.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6AA1840AEEE3A04C.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF2FD060DB664B3732.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC9237323D9E56298.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF142CC8D5F952DB07.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF9983DB395B4F5531.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0C967C43348ABEE7.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF75C781FB698BE6E5.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF90CCE8D9D25F83A2.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF3305C5A2237F3B87.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF9EDF10478057F886.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF58360EC19F5ECF27.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFD085811D6D104F67.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0E19012B5917CA80.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6B02DFE9691C5D0C.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF693AB21204FEC6FE.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF571A02653A80DD41.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF93AC93EF5F8F4914.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF4BB71C7AB13FF57F.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB4F4FC54C5E17F01.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE505460BC5866EF6.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF60DE66359A5EB68F.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFD6E207E67CC308A5.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF35809057275F3814.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF2480B8DCBF2733FC.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF1577F89C22841BAB.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF515F6525B73C24D1.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFABEE61AADDD25ACF.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF55BC792F2A1D2E7D.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF35B9495670888DFD.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF3370093A15892086.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB0E1521E9603D1E4.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFF971A7FABE753608.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFA06479BBC5B3DADF.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF976C0A2D1D8EEB43.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE403779E50489C79.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF81B7A12DFE683919.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0613B883F1ED6E66.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDD3475DBED80BFF9.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFF6FFAE1290AEEEBD.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0FC1AA8A94328EF1.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFB0D790B3C965DD2E.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF7F9F38E6B76E6D37.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFAE0D09DDED3D2303.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC9A610F4558F5F75.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF1097717E3497D9BC.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0B2125B154894180.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF7B7E736232E09020.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFE0D1773DA36B3F3B.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFDE5453BD8CFC9747.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DFC833FB6FB170FA2A.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF77B2B08FFE1614B2.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF26F051612A72DF35.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF6B68B3B9B8696A62.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF01AD9AF27F295946.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF79F3230282A3B0A4.TMP
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\SysWOW64\drivers\svchost.exe
Creates Filec:\Windows\system\explorer.exe
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\Explorer\Process\LO ➝
1
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\system\explorer.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF4AE26A4469B675D7.TMP

Process
↳ c:\Windows\SysWOW64\drivers\spoolsv.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\~DF0DA75872D980B22C.TMP
Creates Filec:\Windows\SysWOW64\drivers\spoolsv.exe
Creates Filec:\Windows\System32\drivers\svchost.exe
Creates Mutex
Creates Mutex

Process
↳ c:\Windows\SysWOW64\drivers\svchost.exe

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 39383a35 3335370d 0a0d0a3c   00.198:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a386338 36306136 332d3564 39362d34   :8c860a63-5d96-4
0x00000280 (00640)   3261302d 39366436 2d353464 61653762   2a0-96d6-54dae7b
0x00000290 (00656)   38646533 313c2f77 73613a4d 65737361   8de31</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3233 65313032   >urn:uuid:23e102
0x00000340 (00832)   31302d37 3266632d 34626431 2d623337   10-72fc-4bd1-b37
0x00000350 (00848)   342d3862 61383732 30396532 62343c2f   4-8ba87209e2b4</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings