fb7a18f8a1cc2ba63fec0bd263c0bee75ce2ffa8b16c8649fdb630345d2fde8b

Analysis

max time kernel
120s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d0ef49a35c093be3e115bd25551860N.exe
Size

299KB
MD5

77d0ef49a35c093be3e115bd25551860
SHA1

5b6f55d5565e65355cbccb87a131a18865731ba9
SHA256

fb7a18f8a1cc2ba63fec0bd263c0bee75ce2ffa8b16c8649fdb630345d2fde8b
SHA512

82172479f3f6160b001855b733507c40ff4e97878cef75c36a6a98fb1ed9e55bebd0e12da12a30a7112340bff76177610587a9af101ec82069bfe85cf211f95b
SSDEEP

6144:L+k5XLaJbcplKJmxOYO3rLPFE2NJOdK/wmAQQQQQQQQQQQQQQQQQQQQQQQQQQQQz:t+JbMJqfFE27P90

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Executes dropped EXE 64 IoCs

pid	Process
1068	explorer.exe
3012	explorer.exe
2636	explorer.exe
1716	explorer.exe
1012	explorer.exe
2148	spoolsv.exe
5028	spoolsv.exe
552	spoolsv.exe
2108	explorer.exe
5104	explorer.exe
844	explorer.exe
3764	spoolsv.exe
2052	spoolsv.exe
1056	spoolsv.exe
2364	explorer.exe
872	explorer.exe
788	explorer.exe
640	explorer.exe
3348	explorer.exe
4292	spoolsv.exe
4012	spoolsv.exe
3360	spoolsv.exe
3048	spoolsv.exe
1292	spoolsv.exe
644	spoolsv.exe
3496	explorer.exe
3832	explorer.exe
4880	explorer.exe
3788	explorer.exe
2204	explorer.exe
696	spoolsv.exe
2592	spoolsv.exe
744	spoolsv.exe
4912	spoolsv.exe
3532	spoolsv.exe
3800	spoolsv.exe
1628	explorer.exe
1064	explorer.exe
4892	explorer.exe
1828	spoolsv.exe
2408	spoolsv.exe
4436	spoolsv.exe
4560	spoolsv.exe
4204	spoolsv.exe
4600	explorer.exe
3256	explorer.exe
1120	explorer.exe
2192	explorer.exe
4932	explorer.exe
2756	explorer.exe
1232	explorer.exe
2112	spoolsv.exe
1096	spoolsv.exe
3116	spoolsv.exe
3768	spoolsv.exe
1792	spoolsv.exe
1948	spoolsv.exe
2940	spoolsv.exe
2484	spoolsv.exe
3128	spoolsv.exe
432	spoolsv.exe
1472	explorer.exe
3176	explorer.exe
5104	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 1068 set thread context of 1012	1068	explorer.exe	92
PID 2148 set thread context of 552	2148	spoolsv.exe	95
PID 2108 set thread context of 844	2108	explorer.exe	98
PID 3764 set thread context of 1056	3764	spoolsv.exe	101
PID 2364 set thread context of 3348	2364	explorer.exe	106
PID 4292 set thread context of 3360	4292	spoolsv.exe	109
PID 3048 set thread context of 644	3048	spoolsv.exe	114
PID 3496 set thread context of 3788	3496	explorer.exe	119
PID 696 set thread context of 744	696	spoolsv.exe	122
PID 4912 set thread context of 3800	4912	spoolsv.exe	127
PID 1628 set thread context of 4892	1628	explorer.exe	130
PID 1828 set thread context of 4204	1828	spoolsv.exe	135
PID 4600 set thread context of 1232	4600	explorer.exe	142
PID 2112 set thread context of 3116	2112	spoolsv.exe	145
PID 3768 set thread context of 432	3768	spoolsv.exe	152
PID 1472 set thread context of 436	1472	explorer.exe	157
PID 336 set thread context of 2052	336	spoolsv.exe	160
PID 3000 set thread context of 640	3000	spoolsv.exe	164
PID 1788 set thread context of 3956	1788	explorer.exe	167
PID 4292 set thread context of 5112	4292	spoolsv.exe	170
PID 2892 set thread context of 4084	2892	spoolsv.exe	173
PID 3756 set thread context of 2964	3756	explorer.exe	176
PID 1704 set thread context of 4392	1704	spoolsv.exe	179
PID 1256 set thread context of 4460	1256	spoolsv.exe	182
PID 3260 set thread context of 3836	3260	explorer.exe	185
PID 4536 set thread context of 4364	4536	spoolsv.exe	188
PID 440 set thread context of 956	440	spoolsv.exe	193
PID 2472 set thread context of 2900	2472	explorer.exe	196
PID 4944 set thread context of 2160	4944	spoolsv.exe	201
PID 1696 set thread context of 1232	1696	spoolsv.exe	206
PID 2812 set thread context of 1096	2812	explorer.exe	209
PID 1932 set thread context of 4728	1932	spoolsv.exe	212
PID 2864 set thread context of 4612	2864	spoolsv.exe	215
PID 4884 set thread context of 656	4884	explorer.exe	218
PID 1984 set thread context of 2428	1984	spoolsv.exe	221
PID 2588 set thread context of 1184	2588	spoolsv.exe	224
PID 3552 set thread context of 4688	3552	explorer.exe	227
PID 3764 set thread context of 4556	3764	spoolsv.exe	230
PID 1080 set thread context of 3424	1080	spoolsv.exe	233
PID 3136 set thread context of 2892	3136	explorer.exe	236
PID 5036 set thread context of 2456	5036	spoolsv.exe	239
PID 4864 set thread context of 2932	4864	spoolsv.exe	244
PID 4000 set thread context of 4112	4000	explorer.exe	247
PID 2284 set thread context of 4356	2284	spoolsv.exe	250
PID 1444 set thread context of 1988	1444	spoolsv.exe	253
PID 2200 set thread context of 892	2200	explorer.exe	256
PID 3924 set thread context of 3012	3924	spoolsv.exe	259
PID 3116 set thread context of 2192	3116	spoolsv.exe	262
PID 3612 set thread context of 1096	3612	explorer.exe	265
PID 1116 set thread context of 2044	1116	spoolsv.exe	268
PID 4856 set thread context of 2484	4856	spoolsv.exe	271
PID 1572 set thread context of 3740	1572	explorer.exe	278
PID 1908 set thread context of 5024	1908	spoolsv.exe	281
PID 3644 set thread context of 3224	3644	spoolsv.exe	284
PID 2344 set thread context of 3632	2344	explorer.exe	289
PID 2016 set thread context of 3764	2016	spoolsv.exe	292
PID 4744 set thread context of 2204	4744	spoolsv.exe	295
PID 2892 set thread context of 3944	2892	explorer.exe	300
PID 1800 set thread context of 4364	1800	spoolsv.exe	305
PID 1632 set thread context of 4232	1632	spoolsv.exe	308
PID 2012 set thread context of 4864	2012	explorer.exe	311
PID 2284 set thread context of 4424	2284	spoolsv.exe	316
PID 4380 set thread context of 1260	4380	spoolsv.exe	321

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
348	4356	WerFault.exe	1021
3648	4364	Process not Found	1132

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	77d0ef49a35c093be3e115bd25551860N.exe
4348	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1068	explorer.exe
1068	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe
1012	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1012	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1052	77d0ef49a35c093be3e115bd25551860N.exe
1052	77d0ef49a35c093be3e115bd25551860N.exe
1012	explorer.exe
1012	explorer.exe
552	spoolsv.exe
552	spoolsv.exe
844	explorer.exe
844	explorer.exe
1056	spoolsv.exe
1056	spoolsv.exe
3348	explorer.exe
3348	explorer.exe
3360	spoolsv.exe
3360	spoolsv.exe
644	spoolsv.exe
644	spoolsv.exe
3788	explorer.exe
3788	explorer.exe
744	spoolsv.exe
744	spoolsv.exe
3800	spoolsv.exe
3800	spoolsv.exe
4892	explorer.exe
4892	explorer.exe
4204	spoolsv.exe
4204	spoolsv.exe
1232	explorer.exe
1232	explorer.exe
3116	spoolsv.exe
3116	spoolsv.exe
432	spoolsv.exe
432	spoolsv.exe
436	explorer.exe
436	explorer.exe
2052	spoolsv.exe
2052	spoolsv.exe
640	spoolsv.exe
640	spoolsv.exe
3956	explorer.exe
3956	explorer.exe
5112	spoolsv.exe
5112	spoolsv.exe
4084	spoolsv.exe
4084	spoolsv.exe
2964	explorer.exe
2964	explorer.exe
4392	spoolsv.exe
4392	spoolsv.exe
4460	spoolsv.exe
4460	spoolsv.exe
3836	explorer.exe
3836	explorer.exe
4364	spoolsv.exe
4364	spoolsv.exe
956	spoolsv.exe
956	spoolsv.exe
2900	explorer.exe
2900	explorer.exe
2160	spoolsv.exe
2160	spoolsv.exe
1232	spoolsv.exe
1232	spoolsv.exe
1096	explorer.exe
1096	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4828	4348	77d0ef49a35c093be3e115bd25551860N.exe	84
PID 4348 wrote to memory of 4828	4348	77d0ef49a35c093be3e115bd25551860N.exe	84
PID 4348 wrote to memory of 4828	4348	77d0ef49a35c093be3e115bd25551860N.exe	84
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 1052 wrote to memory of 1068	1052	77d0ef49a35c093be3e115bd25551860N.exe	87
PID 1052 wrote to memory of 1068	1052	77d0ef49a35c093be3e115bd25551860N.exe	87
PID 1052 wrote to memory of 1068	1052	77d0ef49a35c093be3e115bd25551860N.exe	87
PID 4348 wrote to memory of 1052	4348	77d0ef49a35c093be3e115bd25551860N.exe	85
PID 1068 wrote to memory of 3012	1068	explorer.exe	89
PID 1068 wrote to memory of 3012	1068	explorer.exe	89
PID 1068 wrote to memory of 3012	1068	explorer.exe	89
PID 1068 wrote to memory of 2636	1068	explorer.exe	90
PID 1068 wrote to memory of 2636	1068	explorer.exe	90
PID 1068 wrote to memory of 2636	1068	explorer.exe	90
PID 1068 wrote to memory of 1716	1068	explorer.exe	91
PID 1068 wrote to memory of 1716	1068	explorer.exe	91
PID 1068 wrote to memory of 1716	1068	explorer.exe	91
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 1012 wrote to memory of 2148	1012	explorer.exe	93
PID 1012 wrote to memory of 2148	1012	explorer.exe	93
PID 1012 wrote to memory of 2148	1012	explorer.exe	93
PID 1068 wrote to memory of 1012	1068	explorer.exe	92
PID 2148 wrote to memory of 5028	2148	spoolsv.exe	94
PID 2148 wrote to memory of 5028	2148	spoolsv.exe	94
PID 2148 wrote to memory of 5028	2148	spoolsv.exe	94
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 2148 wrote to memory of 552	2148	spoolsv.exe	95
PID 552 wrote to memory of 2108	552	spoolsv.exe	96
PID 552 wrote to memory of 2108	552	spoolsv.exe	96
PID 552 wrote to memory of 2108	552	spoolsv.exe	96
PID 2108 wrote to memory of 5104	2108	explorer.exe	97
PID 2108 wrote to memory of 5104	2108	explorer.exe	97
PID 2108 wrote to memory of 5104	2108	explorer.exe	97

C:\Users\Admin\AppData\Local\Temp\77d0ef49a35c093be3e115bd25551860N.exe
"C:\Users\Admin\AppData\Local\Temp\77d0ef49a35c093be3e115bd25551860N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Users\Admin\AppData\Local\Temp\77d0ef49a35c093be3e115bd25551860N.exe
  C:\Users\Admin\AppData\Local\Temp\77d0ef49a35c093be3e115bd25551860N.exe
  2⤵
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\77d0ef49a35c093be3e115bd25551860N.exe
  C:\Users\Admin\AppData\Local\Temp\77d0ef49a35c093be3e115bd25551860N.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Executes dropped EXE
      PID:3012
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Executes dropped EXE
      PID:2636
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Executes dropped EXE
      PID:1716
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Modifies visiblity of hidden/system files in Explorer
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1012
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:5028
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:5104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:844
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3764
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:2052
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:788
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:640
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4292
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:4012
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3360
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3048
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:1292
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:644
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3496
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:3832
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:4880
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:2204
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3788
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:2592
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:744
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4912
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:3532
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1628
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:1064
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4892
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1828
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:2408
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:4436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:4560
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4204
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:3256
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:1120
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:2192
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:4932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:2756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1232
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2112
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:1096
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3116
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3768
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:1792
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:1948
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:2940
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:2484
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        
        PID:3128
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1472
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:3176
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:5104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3148
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:436
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:336
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2796
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2052
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3000
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:788
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:640
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:1788
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5084
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3956
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4292
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3244
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5112
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2892
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3616
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1588
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2964
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1704
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5036
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4392
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1256
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4304
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4460
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3260
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4080
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3836
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3484
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4364
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:440
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1552
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2472
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2900
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4944
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4560
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2692
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2160
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1120
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2192
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2812
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1096
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1932
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2368
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4728
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2864
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4280
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4612
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:4884
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1572
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:656
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1984
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2588
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3240
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1184
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3016
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4688
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3764
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3244
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4556
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1080
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2524
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3424
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3136
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4920
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2892
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:5036
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4392
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2456
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4864
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3048
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3392
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1032
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:4000
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4112
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2284
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:900
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4356
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1444
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4380
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1988
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2200
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:440
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:892
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3924
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2476
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3012
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3116
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2192
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:3612
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4360
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1096
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1116
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1932
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2044
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4856
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1948
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2484
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:1572
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3128
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2864
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3600
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2796
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4548
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3740
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1908
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3804
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5024
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:3644
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5084
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3224
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2344
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3016
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4688
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2492
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3632
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2016
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4556
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3764
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4744
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1124
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2204
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2892
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4844
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4592
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1080
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3944
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1800
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3836
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4060
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4364
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1632
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2040
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4232
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Suspicious use of SetThreadContext
        
        PID:2012
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4864
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2284
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2872
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4356
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4424
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Suspicious use of SetThreadContext
        
        PID:4380
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1476
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:384
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:440
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1260
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2404
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1964
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3924
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4680
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2636
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1700
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4360
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1096
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:5028
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2944
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1072
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4988
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4496
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1948
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3128
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2796
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3600
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4012
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2468
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1792
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5024
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1292
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3000
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:468
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3808
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5076
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3404
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2288
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3052
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1712
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:392
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5036
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4392
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4844
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1080
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4920
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1584
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3596
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4176
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1256
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:4536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5072
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1508
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3352
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1632
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1376
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3484
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1444
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2408
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4528
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2112
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4088
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2976
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2300
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1336
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3924
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3988
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4948
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4680
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1884
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2352
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1796
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4728
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1320
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4804
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4548
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3080
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3816
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3240
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5112
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2336
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2736
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2588
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4708
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3764
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3808
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2964
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4368
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4556
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3644
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1704
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4120
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:392
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1552
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1256
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3944
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2160
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2596
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2900
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2332
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4276
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4864
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1964
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1120
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1828
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4980
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4616
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1732
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2056
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2972
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3168
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4732
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:32
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4984
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3812
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3924
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5104
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3560
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:336
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3128
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3768
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2104
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3804
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3000
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2864
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:5024
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3200
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2688
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1920
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2992
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3676
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2840
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1124
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4292
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3052
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:744
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4392
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4304
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1600
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2052
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3532
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3836
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3596
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4844
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2380
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4420
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2592
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:756
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2160
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3484
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2076
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4144
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2636
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4404
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4980
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2284
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4616
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2056
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4472
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4380
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:116
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2368
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3168
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1372
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4572
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2972
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1320
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4712
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4416
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3924
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3116
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5104
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:372
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4280
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2824
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:336
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2016
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3740
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3564
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2656
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1972
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3796
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:468
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3952
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4200
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1292
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2464
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3644
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3632
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3900
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4300
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5036
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4304
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1516
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2540
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3244
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4400
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4824
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2748
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4088
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2456
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4580
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2900
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4576
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3964
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4360
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2560
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1732
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3140
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3352
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:820
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4944
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4472
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2528
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2056
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1812
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:3176
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3256
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:436
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3816
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1512
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2492
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4280
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3000
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2288
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2736
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3200
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4040
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3220
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5052
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2916
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:624
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1920
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2464
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4532
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:900
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3596
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1800
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3048
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4556
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:772
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2868
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3052
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1508
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3244
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4268
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2380
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4068
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1120
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2144
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3688
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2948
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1492
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:384
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:400
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2112
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1444
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2896
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2504
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3908
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4948
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4520
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2284
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1336
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:212
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4828
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3988
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3812
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5104
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5084
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2168
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4660
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2796
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4804
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:372
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2840
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3564
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3832
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3816
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1512
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2288
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3200
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2536
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:5024
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:468
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4708
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1904
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4060
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1124
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4744
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2440
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:900
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4212
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3992
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1948
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4844
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4176
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2020
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1508
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3244
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4268
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4556
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4588
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4580
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2008
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4528
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3484
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2352
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3160
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3624
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1796
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2112
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4856
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1732
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2896
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1700
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4416
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3544
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1320
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4944
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2168
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5080
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3636
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2824
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4804
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4040
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:656
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2960
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1480
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4260
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1536
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1920
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:468
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4688
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4304
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:5024
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3796
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4532
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3048
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:772
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2596
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1800
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:892
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4176
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2020
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1224
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4544
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4268
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4644
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:224
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1632
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4556
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3056
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3624
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3908
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2504
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3768
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2368
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2896
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:5116
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4360
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3256
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:5084
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2496
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3096
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4696
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2104
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3200
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:628
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3740
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3952
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3564
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4260
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2944
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4080
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2708
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2260
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3596
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4060
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4444
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2976
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3776
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1256
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:988
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3688
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2076
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3244
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2388
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5108
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1912
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4964
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4876
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3420
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4472
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3484
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2044
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2332
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4276
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1028
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3240
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5104
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:212
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3116
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4380
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3504
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2492
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3832
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1372
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2340
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4668
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3616
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4040
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:336
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1712
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3648
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4808
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:708
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3740
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3764
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4688
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:628
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4292
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2708
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4356
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4868
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1920
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1776
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1116
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4544
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2476
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:440
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4068
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:384
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2976
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4208
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2388
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2900
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4876
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2112
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4472
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2044
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1632
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4580
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4984
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4636
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4616
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:212
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3504
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4144
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2492
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1648
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2340
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4812
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4548
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2400
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3080
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4904
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:784
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3764
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3680
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4960
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4264
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1504
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1536
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4428
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2668
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1516
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4356
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4200
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4992
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1776
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3784
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2076
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3664
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4420
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1256
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2696
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2884
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:848
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3532
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2528
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1596
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4520
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2052
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3968
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1524
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2008
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4576
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3420
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2824
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4360
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4860
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3544
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1700
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:5080
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3168
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1320
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4712
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1696
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4668
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1792
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4852
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4300
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1032
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:2880
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2228
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4700
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4808
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:316
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4120
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3648
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4532
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5036
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4264
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4400
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4688
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3428
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3528
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2236
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4308
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3836
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4132
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1508
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4992
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1476
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:756
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2900
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5012
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:848
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:384
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4540
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4424
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:820
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4580
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3360
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3684
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4416
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1660
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2824
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2368
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2896
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1444
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2492
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1812
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5084
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3016
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3500
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3812
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3832
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4660
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1696
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2736
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2588
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4300
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2688
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4744
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1440
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:724
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3332
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2536
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:3992
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4444
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2260
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3648
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1552
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3560
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3668
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4304
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4264
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3776
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4964
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2380
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1064
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3528
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1072
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:224
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1828
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4132
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1120
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3780
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:676
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1476
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:116
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4936
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3744
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3388
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3968
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4208
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2704
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2940
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1668
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2996
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3684
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2436
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4796
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2368
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4720
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1384
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2092
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3352
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3220
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3616
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2524
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1704
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1088
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:5040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2468
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1076
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3144
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4804
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:624
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2668
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3992
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 156
        7⤵
        Program crash
        
        PID:348
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4448
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4264
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:4536
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4956
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3172
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:2456
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1592
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3196
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1120
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5012
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4644
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:452
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3108
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2448
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2044
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3924
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3816
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4360
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:2332
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1732
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2940
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:1700
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2564
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1524
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:1444
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3700
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1480
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4712
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3236
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1060
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4040
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2288
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3168
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2524
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4852
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4260
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:784
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2228
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1704
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:2688
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1716
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2408
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:752
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2536
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2944
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:1920
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4428
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1912
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:1504
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4684
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4716
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4180
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4956
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3428
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        
        PID:4828
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2976
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        
        PID:4520
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3744
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3664
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5012
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4644
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4036
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2008
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2388
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:1120
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:3456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4636
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:2332
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:4148
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3264
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:1648
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:3860
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3804
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:2436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        
        PID:4712
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        
        PID:708
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3504
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:3352
    - - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3544
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:772
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:5040
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        6⤵
        
        PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4356 -ip 4356
1⤵
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
299KB

MD5
e47bd108c3b7411d74ace88b26ab173c

SHA1
cb8bf29efd4488ddd21b0da3d53d6a4121d65b01

SHA256
d93217988ca35344dd287fd43456af738c7f84557ad4be5ad94d3c599caeb4dc

SHA512
a988c9899122c230d6fa4d1108c9d4230253c4bb6639c8a80e7b3e70e8c6535214c468c60f563a1f9ed460505ebdbe39762b35d662a4883ef92ff99606ab7dbc

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
299KB

MD5
8e9169878e8661c943cfc75fdc76b3cb

SHA1
6809b770fd3afdab2aaeca9343e2cca967db6dcb

SHA256
187b1b67c75edf70799225e1bc620fe70f3aa89767a69e5008b02b737ffc9267

SHA512
97e318bd492e8082020354417c8ee3992b43b5cd41138f56f6c33e654a5ab39261ba89bd2be048c07f6474994569a3d15ca3af637fd716673785f8dac44955d0

Download Submit
memory/1052-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1052-3-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-0-0x0000000000FB0000-0x0000000000FB5000-memory.dmp

Filesize
20KB

Download