asyncrat | 8731222107da184b71a7a4e9e1650522b58fb26f72198ad6ec8c965bfdce0774

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat redline default discovery evasion execution infostealer persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

ser.nrovn.xyz:6606

ser.nrovn.xyz:7707

ser.nrovn.xyz:8808

Mutex

nfMlxLKxWkbD

Attributes

delay
3
install
true
install_file
http.exe
install_folder
%AppData%

aes.plain

Extracted

Family

redline

185.196.9.26:6302

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/1816-57-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral2/memory/5944-1396-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

Redline family
redline

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 1524 created 4328	1524	Mswgoudnv.exe	335
PID 1020 created 2644	1020	iarmih.exe	115
PID 3644 created 3432	3644	3.exe	56
PID 3644 created 3432	3644	3.exe	56
PID 4648 created 3432	4648	Process not Found	56
PID 4648 created 3432	4648	Process not Found	56
PID 4648 created 3432	4648	Process not Found	56

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb4-91.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Encrypted2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	langla.exe

Executes dropped EXE 64 IoCs

pid	Process
216	file.exe
2196	4.exe
3484	Encrypted2.exe
684	cock.exe
224	A3.exe
2356	A3.exe
3660	A3.exe
3656	a3.exe
2008	langla.exe
2748	icsys.icn.exe
540	icsys.icn.exe
4444	icsys.icn.exe
1936	explorer.exe
4932	explorer.exe
2644	explorer.exe
1524	Mswgoudnv.exe
1648	spoolsv.exe
4144	spoolsv.exe
2224	spoolsv.exe
3036	explorer.exe
3972	explorer.exe
3708	explorer.exe
4404	explorer.exe
4604	spoolsv.exe
4660	spoolsv.exe
3808	spoolsv.exe
4192	spoolsv.exe
2732	spoolsv.exe
4320	explorer.exe
852	spoolsv.exe
3060	explorer.exe
3908	explorer.exe
2744	spoolsv.exe
3620	spoolsv.exe
1520	spoolsv.exe
4516	spoolsv.exe
5092	spoolsv.exe
4124	explorer.exe
2552	spoolsv.exe
4464	explorer.exe
3372	explorer.exe
5188	spoolsv.exe
5228	spoolsv.exe
3868	spoolsv.exe
1184	spoolsv.exe
4836	spoolsv.exe
5232	explorer.exe
5264	explorer.exe
5316	spoolsv.exe
5416	spoolsv.exe
5440	spoolsv.exe
5572	http.exe
5736	spoolsv.exe
5720	LgendPremium.exe
4440	spoolsv.exe
2612	spoolsv.exe
4488	explorer.exe
4856	explorer.exe
2440	explorer.exe
1912	spoolsv.exe
4708	spoolsv.exe
3660	spoolsv.exe
5132	spoolsv.exe
5176	spoolsv.exe

Loads dropped DLL 1 IoCs

pid	Process
5684	UpdateSSSS.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe"	Mswgoudnv.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5168	powershell.exe
5496	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
31	bitbucket.org
32	bitbucket.org
42	raw.githubusercontent.com
43	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 1816	684	cock.exe	104
PID 224 set thread context of 3660	224	A3.exe	107
PID 2748 set thread context of 4444	2748	icsys.icn.exe	112
PID 1936 set thread context of 2644	1936	explorer.exe	115
PID 1648 set thread context of 2224	1648	spoolsv.exe	119
PID 3036 set thread context of 4404	3036	explorer.exe	123
PID 4604 set thread context of 2732	4604	spoolsv.exe	128
PID 4320 set thread context of 3060	4320	explorer.exe	132
PID 852 set thread context of 3620	852	spoolsv.exe	134
PID 1520 set thread context of 5092	1520	spoolsv.exe	143
PID 4124 set thread context of 3372	4124	explorer.exe	147
PID 2552 set thread context of 5228	2552	spoolsv.exe	149
PID 3868 set thread context of 4836	3868	spoolsv.exe	152
PID 5232 set thread context of 5264	5232	explorer.exe	154
PID 5316 set thread context of 5440	5316	spoolsv.exe	157
PID 5736 set thread context of 2612	5736	spoolsv.exe	162
PID 4488 set thread context of 2440	4488	explorer.exe	165
PID 1912 set thread context of 3660	1912	spoolsv.exe	168
PID 5132 set thread context of 5180	5132	spoolsv.exe	171
PID 5404 set thread context of 5444	5404	explorer.exe	174
PID 5512 set thread context of 5560	5512	spoolsv.exe	177
PID 5684 set thread context of 5944	5684	UpdateSSSS.exe	180
PID 6036 set thread context of 6140	6036	spoolsv.exe	183
PID 5800 set thread context of 5848	5800	explorer.exe	186
PID 5860 set thread context of 5900	5860	spoolsv.exe	191
PID 6048 set thread context of 6112	6048	spoolsv.exe	197
PID 2900 set thread context of 3720	2900	explorer.exe	202
PID 4916 set thread context of 2348	4916	spoolsv.exe	205
PID 3960 set thread context of 2220	3960	spoolsv.exe	208
PID 2736 set thread context of 2748	2736	explorer.exe	211
PID 4516 set thread context of 5128	4516	spoolsv.exe	214
PID 3588 set thread context of 5060	3588	spoolsv.exe	221
PID 5284 set thread context of 5564	5284	explorer.exe	229
PID 5588 set thread context of 4472	5588	spoolsv.exe	232
PID 5640 set thread context of 1388	5640	spoolsv.exe	235
PID 2848 set thread context of 2508	2848	explorer.exe	238
PID 5096 set thread context of 2672	5096	spoolsv.exe	243
PID 5176 set thread context of 5612	5176	spoolsv.exe	247
PID 5408 set thread context of 5724	5408	explorer.exe	250
PID 5912 set thread context of 5836	5912	spoolsv.exe	253
PID 5532 set thread context of 5504	5532	spoolsv.exe	256
PID 6044 set thread context of 5904	6044	explorer.exe	259
PID 2384 set thread context of 5840	2384	spoolsv.exe	262
PID 5792 set thread context of 5908	5792	spoolsv.exe	265
PID 3396 set thread context of 2616	3396	explorer.exe	268
PID 1156 set thread context of 6072	1156	spoolsv.exe	271
PID 2284 set thread context of 5056	2284	spoolsv.exe	277
PID 4256 set thread context of 4916	4256	explorer.exe	280
PID 3248 set thread context of 2744	3248	spoolsv.exe	285
PID 3084 set thread context of 5248	3084	spoolsv.exe	288
PID 2748 set thread context of 3060	2748	explorer.exe	291
PID 5152 set thread context of 1376	5152	spoolsv.exe	294
PID 1796 set thread context of 5224	1796	spoolsv.exe	297
PID 6020 set thread context of 5208	6020	explorer.exe	300
PID 532 set thread context of 436	532	spoolsv.exe	303
PID 5400 set thread context of 5520	5400	spoolsv.exe	306
PID 5220 set thread context of 3324	5220	explorer.exe	309
PID 5676 set thread context of 4144	5676	spoolsv.exe	314
PID 3052 set thread context of 860	3052	spoolsv.exe	317
PID 2016 set thread context of 4856	2016	explorer.exe	320
PID 5700 set thread context of 1912	5700	spoolsv.exe	323
PID 464 set thread context of 5876	464	spoolsv.exe	326
PID 5868 set thread context of 5412	5868	explorer.exe	331
PID 5932 set thread context of 5912	5932	spoolsv.exe	334

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.ex_	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	Process not Found
File opened for modification	\??\c:\windows\resources\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\spoolsv.ex_	spoolsv.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	Process not Found
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1568	6072	WerFault.exe	271
3328	2076	WerFault.exe	996
2696	5352	WerFault.exe	1038

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LgendPremium.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2332	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	A3.exe
224	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
3660	A3.exe
2748	icsys.icn.exe
2748	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
4444	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2644	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	4363463463464363463463463.exe
Token: SeDebugPrivilege	1524	Mswgoudnv.exe
Token: SeDebugPrivilege	2008	langla.exe
Token: SeDebugPrivilege	5572	http.exe
Token: SeDebugPrivilege	5572	http.exe
Token: SeDebugPrivilege	1524	Mswgoudnv.exe
Token: SeDebugPrivilege	1020	iarmih.exe
Token: SeDebugPrivilege	1020	iarmih.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeIncreaseQuotaPrivilege	5168	powershell.exe
Token: SeSecurityPrivilege	5168	powershell.exe
Token: SeTakeOwnershipPrivilege	5168	powershell.exe
Token: SeLoadDriverPrivilege	5168	powershell.exe
Token: SeSystemProfilePrivilege	5168	powershell.exe
Token: SeSystemtimePrivilege	5168	powershell.exe
Token: SeProfSingleProcessPrivilege	5168	powershell.exe
Token: SeIncBasePriorityPrivilege	5168	powershell.exe
Token: SeCreatePagefilePrivilege	5168	powershell.exe
Token: SeBackupPrivilege	5168	powershell.exe
Token: SeRestorePrivilege	5168	powershell.exe
Token: SeShutdownPrivilege	5168	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeSystemEnvironmentPrivilege	5168	powershell.exe
Token: SeRemoteShutdownPrivilege	5168	powershell.exe
Token: SeUndockPrivilege	5168	powershell.exe
Token: SeManageVolumePrivilege	5168	powershell.exe
Token: 33	5168	powershell.exe
Token: 34	5168	powershell.exe
Token: 35	5168	powershell.exe
Token: 36	5168	powershell.exe
Token: SeIncreaseQuotaPrivilege	5168	powershell.exe
Token: SeSecurityPrivilege	5168	powershell.exe
Token: SeTakeOwnershipPrivilege	5168	powershell.exe
Token: SeLoadDriverPrivilege	5168	powershell.exe
Token: SeSystemProfilePrivilege	5168	powershell.exe
Token: SeSystemtimePrivilege	5168	powershell.exe
Token: SeProfSingleProcessPrivilege	5168	powershell.exe
Token: SeIncBasePriorityPrivilege	5168	powershell.exe
Token: SeCreatePagefilePrivilege	5168	powershell.exe
Token: SeBackupPrivilege	5168	powershell.exe
Token: SeRestorePrivilege	5168	powershell.exe
Token: SeShutdownPrivilege	5168	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe
Token: SeSystemEnvironmentPrivilege	5168	powershell.exe
Token: SeRemoteShutdownPrivilege	5168	powershell.exe
Token: SeUndockPrivilege	5168	powershell.exe
Token: SeManageVolumePrivilege	5168	powershell.exe
Token: 33	5168	powershell.exe
Token: 34	5168	powershell.exe
Token: 35	5168	powershell.exe
Token: 36	5168	powershell.exe
Token: SeIncreaseQuotaPrivilege	5168	powershell.exe
Token: SeSecurityPrivilege	5168	powershell.exe
Token: SeTakeOwnershipPrivilege	5168	powershell.exe
Token: SeLoadDriverPrivilege	5168	powershell.exe
Token: SeSystemProfilePrivilege	5168	powershell.exe
Token: SeSystemtimePrivilege	5168	powershell.exe
Token: SeProfSingleProcessPrivilege	5168	powershell.exe
Token: SeIncBasePriorityPrivilege	5168	powershell.exe
Token: SeCreatePagefilePrivilege	5168	powershell.exe
Token: SeBackupPrivilege	5168	powershell.exe
Token: SeRestorePrivilege	5168	powershell.exe
Token: SeShutdownPrivilege	5168	powershell.exe
Token: SeDebugPrivilege	5168	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3656	a3.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3660	A3.exe
3660	A3.exe
4444	icsys.icn.exe
4444	icsys.icn.exe
2644	explorer.exe
2644	explorer.exe
2224	spoolsv.exe
2224	spoolsv.exe
4404	explorer.exe
4404	explorer.exe
2732	spoolsv.exe
2732	spoolsv.exe
3060	explorer.exe
3060	explorer.exe
3620	spoolsv.exe
3620	spoolsv.exe
5092	spoolsv.exe
5092	spoolsv.exe
3372	explorer.exe
5228	spoolsv.exe
3372	explorer.exe
5228	spoolsv.exe
4836	spoolsv.exe
4836	spoolsv.exe
5264	explorer.exe
5264	explorer.exe
5440	spoolsv.exe
5440	spoolsv.exe
2612	spoolsv.exe
2612	spoolsv.exe
2440	explorer.exe
2440	explorer.exe
3660	spoolsv.exe
3660	spoolsv.exe
5180	spoolsv.exe
5180	spoolsv.exe
5444	explorer.exe
5444	explorer.exe
5560	spoolsv.exe
5560	spoolsv.exe
6140	spoolsv.exe
6140	spoolsv.exe
5848	explorer.exe
5848	explorer.exe
5900	spoolsv.exe
5900	spoolsv.exe
6112	spoolsv.exe
6112	spoolsv.exe
3720	explorer.exe
3720	explorer.exe
2348	spoolsv.exe
2348	spoolsv.exe
2220	spoolsv.exe
2220	spoolsv.exe
2748	explorer.exe
2748	explorer.exe
5128	spoolsv.exe
5128	spoolsv.exe
5060	spoolsv.exe
5060	spoolsv.exe
5564	explorer.exe
5564	explorer.exe
4472	spoolsv.exe
4472	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 216	748	4363463463464363463463463.exe	89
PID 748 wrote to memory of 216	748	4363463463464363463463463.exe	89
PID 748 wrote to memory of 2196	748	4363463463464363463463463.exe	94
PID 748 wrote to memory of 2196	748	4363463463464363463463463.exe	94
PID 748 wrote to memory of 2196	748	4363463463464363463463463.exe	94
PID 748 wrote to memory of 3484	748	4363463463464363463463463.exe	100
PID 748 wrote to memory of 3484	748	4363463463464363463463463.exe	100
PID 748 wrote to memory of 3484	748	4363463463464363463463463.exe	100
PID 748 wrote to memory of 684	748	4363463463464363463463463.exe	101
PID 748 wrote to memory of 684	748	4363463463464363463463463.exe	101
PID 748 wrote to memory of 684	748	4363463463464363463463463.exe	101
PID 684 wrote to memory of 2348	684	cock.exe	103
PID 684 wrote to memory of 2348	684	cock.exe	103
PID 684 wrote to memory of 2348	684	cock.exe	103
PID 684 wrote to memory of 2348	684	cock.exe	103
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 684 wrote to memory of 1816	684	cock.exe	104
PID 3484 wrote to memory of 224	3484	Encrypted2.exe	105
PID 3484 wrote to memory of 224	3484	Encrypted2.exe	105
PID 3484 wrote to memory of 224	3484	Encrypted2.exe	105
PID 224 wrote to memory of 2356	224	A3.exe	106
PID 224 wrote to memory of 2356	224	A3.exe	106
PID 224 wrote to memory of 2356	224	A3.exe	106
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 224 wrote to memory of 3660	224	A3.exe	107
PID 3660 wrote to memory of 3656	3660	A3.exe	108
PID 3660 wrote to memory of 3656	3660	A3.exe	108
PID 748 wrote to memory of 2008	748	4363463463464363463463463.exe	109
PID 748 wrote to memory of 2008	748	4363463463464363463463463.exe	109
PID 748 wrote to memory of 2008	748	4363463463464363463463463.exe	109
PID 3660 wrote to memory of 2748	3660	A3.exe	110
PID 3660 wrote to memory of 2748	3660	A3.exe	110
PID 3660 wrote to memory of 2748	3660	A3.exe	110
PID 2748 wrote to memory of 540	2748	icsys.icn.exe	111
PID 2748 wrote to memory of 540	2748	icsys.icn.exe	111
PID 2748 wrote to memory of 540	2748	icsys.icn.exe	111
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112
PID 2748 wrote to memory of 4444	2748	icsys.icn.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
    3⤵
    - Executes dropped EXE
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\Files\4.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\4.exe"
    3⤵
    - Executes dropped EXE
    PID:2196
- - C:\Users\Admin\AppData\Local\Temp\Files\Encrypted2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Encrypted2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\A3.exe
      "C:\Users\Admin\AppData\Local\Temp\A3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:224
    - - C:\Users\Admin\AppData\Local\Temp\A3.exe
        
        C:\Users\Admin\AppData\Local\Temp\A3.exe
        5⤵
        Executes dropped EXE
        
        PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\A3.exe
        
        C:\Users\Admin\AppData\Local\Temp\A3.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3660
      - \??\c:\users\admin\appdata\local\temp\a3.exe
        
        c:\users\admin\appdata\local\temp\a3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3656
      - C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        7⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        
        C:\Windows\Resources\Themes\icsys.icn.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4444
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1936
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        9⤵
        Executes dropped EXE
        
        PID:4932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        9⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2644
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1648
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:4144
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3036
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        
        PID:3972
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        
        PID:3708
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4404
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:4660
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:3808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:4192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        
        PID:3908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3060
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:2744
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3620
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1520
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:4516
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5092
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4124
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        
        PID:4464
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3372
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2552
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:5188
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3868
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:1184
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4836
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5232
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5264
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5316
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:5416
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5440
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5736
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:4440
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4488
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        
        PID:4856
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:1912
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:4708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5132
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Executes dropped EXE
        
        PID:5176
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5180
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:5404
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5428
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5444
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5512
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5548
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5560
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:6036
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6076
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6140
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5824
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5848
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5860
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5780
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5872
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5896
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5900
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:6048
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6072
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6096
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6108
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:6112
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:2900
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5028
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3344
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3048
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3720
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:4916
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4116
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:3960
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3672
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:2736
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:4516
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5172
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5128
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:3588
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3984
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5188
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2552
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:532
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:5284
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5460
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5520
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5476
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5260
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5556
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5564
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5588
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4472
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5640
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5688
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1388
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:2848
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4440
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5096
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3012
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1980
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3492
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2672
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5176
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5528
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5612
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5448
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5724
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5912
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5828
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5836
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5532
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5368
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5504
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:6044
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5788
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5904
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2384
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5792
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5888
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:3396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2616
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:1156
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6088
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6072 -s 156
        12⤵
        Program crash
        
        PID:1568
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:2284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1336
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5056
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:4256
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3328
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4916
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:3248
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4400
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2716
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2744
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:3084
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4724
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5248
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:2748
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4136
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3060
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5152
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2676
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1376
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:1796
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3796
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5224
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6020
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5208
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:532
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5496
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:436
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5400
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5460
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5520
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:5220
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2076
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        
        PID:5676
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5696
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5668
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:224
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4144
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:3052
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4060
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:860
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:2016
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3216
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4856
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5700
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1912
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:464
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5352
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5876
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Suspicious use of SetThreadContext
        
        PID:5868
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5568
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5732
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5444
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5412
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Suspicious use of SetThreadContext
        
        PID:5932
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5844
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4328
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5704
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Files\Mswgoudnv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Mswgoudnv.exe"
        13⤵
        
        PID:4196
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5360
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5788
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6128
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5364
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2384
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5784
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1216
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1012
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3852
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4208
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5792
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1016
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:6080
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4140
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3164
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2348
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5028
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:736
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2696
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3304
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2668
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3248
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:2448
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4464
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3960
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5140
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5128
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4288
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1760
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1376
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5996
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:2004
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5240
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5228
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5500
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3724
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5984
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6012
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5252
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4052
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3100
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:448
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4576
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5400
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4704
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:8
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3792
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5744
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5396
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3492
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5640
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5604
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5196
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5428
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5680
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5560
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6064
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3312
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:1504
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4152
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1628
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:652
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5372
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3364
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:508
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2856
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5932
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5940
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5904
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:3188
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5936
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2384
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4004
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3104
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1356
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5772
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:364
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4792
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:6096
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4536
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5976
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2380
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4820
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4420
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1568
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:3392
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2564
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6048
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3304
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:544
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5288
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5280
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4436
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2744
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4724
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5216
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4468
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4824
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4464
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1928
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3904
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1760
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4564
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5440
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5188
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5164
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5916
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1796
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2020
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3688
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5292
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2184
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4948
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3588
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5536
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5276
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1668
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4840
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5332
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1580
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1980
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3012
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5712
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5576
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5096
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4144
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:792
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5656
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3428
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1912
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5592
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5444
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3112
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5828
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1400
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5964
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2204
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5368
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5948
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:6052
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2528
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2504
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:508
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6032
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4936
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1112
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:804
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5764
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4616
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4992
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5936
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5772
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4100
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:800
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5364
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6136
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1852
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5880
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2564
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4820
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2232
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2136
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5280
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3060
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4604
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3996
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4288
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2584
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3304
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4516
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3048
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5920
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:532
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1068
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:2688
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3056
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:4868
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5496
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5984
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5916
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4644
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2028
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2076
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2680
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5392
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5276
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5696
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3012
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5712
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4876
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4704
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5204
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5144
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5804
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5548
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5196
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5592
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5444
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:6084
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4152
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5516
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5544
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5964
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5532
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5836
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4580
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5948
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5856
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5992
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3104
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1176
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:6024
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1112
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5764
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4936
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3808
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4616
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5780
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1624
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:460
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2380
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1692
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3188
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:4116
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6120
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3328
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:6048
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3044
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4200
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5976
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1016
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6080
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:684
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1572
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2564
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2356
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3084
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3520
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5152
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2948
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3940
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6060
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:4784
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3092
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3868
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5468
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4584
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4316
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5164
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5240
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4492
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6012
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3688
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5292
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3588
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4452
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5128
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4052
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1596
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:224
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3724
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5460
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5424
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1580
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1976
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3024
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4008
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5636
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5024
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4604
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3048
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5728
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1196
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1328
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5836
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3660
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1356
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4212
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3940
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2252
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5516
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5148
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2880
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6076
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5464
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3676
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5972
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5600
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5552
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1416
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1084
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1156
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2380
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:3204
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:364
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5376
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:208
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6060
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5456
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5152
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5256
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5472
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5352
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2088
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5532
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4984
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1232
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1336
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3620
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4420
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1036
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3152
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2160
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2948
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1572
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1196
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5728
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2208
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5932
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5272
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1964
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:436
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1920
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5288
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5704
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:1980
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2264
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6004
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1928
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4704
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3588
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6036
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4876
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:448
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5168
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5160
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1704
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5268
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6032
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5700
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:8
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4644
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5552
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2756
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1860
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1144
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2676
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5512
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5208
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:2920
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4136
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5200
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3960
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4624
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3344
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5860
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5904
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5096
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5216
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:808
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4956
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5372
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5896
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3372
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1376
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5560
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5352
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3056
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4824
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5304
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4200
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2504
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1336
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:2076
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5788
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4492
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1760
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2976
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4984
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3704
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2356
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3808
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5272
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5664
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4436
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1668
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:6120
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1580
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5768
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3324
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1264
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5172
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:876
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:448
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5540
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5780
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4652
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5168
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1112
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3820
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3944
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:852
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5204
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5640
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:532
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:460
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5040
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4616
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6052
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3672
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6080
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1560
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5904
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1012
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6048
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5216
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4856
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5980
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4868
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:4576
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2020
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5448
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5584
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3620
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5544
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4104
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:388
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5312
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5392
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4604
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1496
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4288
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5156
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5764
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2192
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5516
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4236
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5864
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5828
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1760
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:436
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4788
        
        C:\ProgramData\iqdoetl\iarmih.exe
        
        "C:\ProgramData\iqdoetl\iarmih.exe"
        10⤵
        
        PID:5524
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:6128
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5292
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3560
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:6004
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6104
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4876
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5424
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1416
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5588
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1516
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5100
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3676
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:852
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1112
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2676
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4008
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4580
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3344
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3524
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5456
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:208
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5040
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3996
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5096
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5348
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3352
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:640
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:2692
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2180
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5992
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1376
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4784
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3796
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2088
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4484
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5128
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2068
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5388
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4916
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5560
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5340
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4468
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1328
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3152
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3244
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4984
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4604
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5516
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1496
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4236
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5828
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4964
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4788
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5660
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1292
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2368
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1116
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5292
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:448
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:4452
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:956
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1912
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5344
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4936
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:628
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6032
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5640
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5556
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5588
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2844
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4440
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2124
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2184
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5512
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5200
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:180
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2952
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6060
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5152
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5732
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4332
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:6088
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2896
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6072
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:2716
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:228
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:4728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:708
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6056
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2284
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6000
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5128
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:684
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5584
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:1336
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4380
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:6076
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1848
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5452
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:4104
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 156
        12⤵
        Program crash
        
        PID:3328
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1520
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3324
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6120
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1500
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2564
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        Drops file in Windows directory
        
        PID:5420
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1292
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:2228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3984
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5540
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3584
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5924
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3312
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6132
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:1912
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3304
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5948
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5496
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4936
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6100
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2528
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4628
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5124
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5792
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1016
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5976
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5416
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5604
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3996
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5860
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1216
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1012
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:6088
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3044
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 156
        12⤵
        Program crash
        
        PID:2696
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3008
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3708
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2284
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:1576
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5272
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3152
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5388
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4400
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:4492
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4468
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1328
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5920
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3904
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4288
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4872
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5664
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4940
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:800
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2368
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1704
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5780
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3416
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5424
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:2228
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1760
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4652
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3584
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3404
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4876
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:5844
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5972
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3304
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5552
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4936
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5344
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6100
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5380
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3724
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:180
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:212
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:5644
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5740
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5096
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:2668
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:6048
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1400
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1036
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1376
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:1016
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1084
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2184
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2136
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:1840
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5788
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5240
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:6056
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5896
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4856
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5216
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5940
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5836
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:388
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5272
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5312
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5636
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2088
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3660
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:3620
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:5452
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:1848
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:332
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:5576
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3296
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:3132
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5228
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2076
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4396
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:1928
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:2368
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        12⤵
        
        PID:3804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:4644
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        13⤵
        
        PID:3024
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        Drops file in Windows directory
        
        PID:2756
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5608
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:4624
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        10⤵
        
        PID:2952
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe
        11⤵
        
        PID:5140
- - C:\Users\Admin\AppData\Local\Temp\Files\cock.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cock.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Files\langla.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\langla.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"' & exit
      4⤵
      PID:4468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "http" /tr '"C:\Users\Admin\AppData\Roaming\http.exe"'
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA8F.tmp.bat""
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2332
    - - C:\Users\Admin\AppData\Roaming\http.exe
        
        "C:\Users\Admin\AppData\Roaming\http.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
- - C:\Users\Admin\AppData\Local\Temp\Files\Mswgoudnv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Mswgoudnv.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5720
- - C:\Users\Admin\AppData\Local\Temp\Files\UpdateSSSS.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\UpdateSSSS.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:5684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:5944
- - C:\Users\Admin\AppData\Local\Temp\Files\Authenticator.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Authenticator.exe"
    3⤵
    PID:6124
- - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wczaqphd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTwaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Gowogle\Chwrome\uwpdater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTwaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6072 -ip 6072
1⤵
PID:1016

C:\ProgramData\iqdoetl\iarmih.exe
C:\ProgramData\iqdoetl\iarmih.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2076 -ip 2076
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5352 -ip 5352
1⤵
PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A3.exe

Filesize
5.8MB

MD5
1392bfc8f059d959b5b251d3d651dedb

SHA1
1bb03d893222f35dd2f816eb65b2481a677d11d8

SHA256
14af32f4c3f443d9203726cfca49e18bba8f248561863410fefffad41b47a32b

SHA512
30398215e0805222f9ec895cda09f8625e8a881ce334348f4d85ca9f0d4f4cef4c9b05c50f88d594c7b96a11200d8fa5018ed7342a3e0e3a54db14625ae673ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3.exe

Filesize
9.8MB

MD5
6f804d98df32ee28685d8468e619dd87

SHA1
cc4813865c1600e7c7b772d692a37dd752a7cc6a

SHA256
3b567592754e25eaa9246e3b267eebccaa870494c351b87ce2124f3e03a676aa

SHA512
af1280f4db7b70f9a94f20837258a5a6ca7cbbe1a4cc44d0b938a10290496802793d631e4cce155597dfc05243624013750310a2baf260c085f29316682d37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4.exe

Filesize
728KB

MD5
58d65f5fca31cd83c18163b56b27f246

SHA1
ebb839bff73785c78d54128b235f72ce1c5c0cee

SHA256
7b827fb44a58dd2362be39abafa00a74e2f105c0fc5a5aa4ef3f3bdac5d13408

SHA512
5502a4d0e57fe051edf0098a32fce0ebe94108c841d327e773764fcf62c95dec96af772c0f8fbc56e2b7220d3189931c09905f24838eb3dc3f539dcfd3ffac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Authenticator.exe

Filesize
11.0MB

MD5
dae181fa127103fdc4ee4bf67117ecfb

SHA1
02ce95a71cadd1fd45351690dc5e852bec553f85

SHA256
f18afd984df441d642187620e435e8b227c0e31d407f82a67c6c8b36f94bd980

SHA512
d2abe0aec817cede08c406b65b3d6f2c6930599ead28ea828c29d246e971165e3af655a10724ca3c537e70fe5c248cdc01567ed5a0922b183a9531b126368e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Encrypted2.exe

Filesize
6.0MB

MD5
8ee6ee2f0764ee8b9e65ffeffdbde62a

SHA1
aad978a009b86b6d2a93d33b587e21335f1b3015

SHA256
170a8c6980f521bdf05f6a6af76be8716f211cd0aa5aa7e6e50aa356447582a4

SHA512
32af8ace35b3239fb4b3dc6145a0f2657c1ad68bcf71f8e91717d285c26a483c8f0449c288a35c3681f432a5af55a7bcf24f170aef35961b4002217228c98ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe

Filesize
5.7MB

MD5
c84baaa0b67d15dbc989ca2eb55a9b1c

SHA1
20231d1285e4de0916cc71e7d590313296f9d539

SHA256
9f8b8bd90df6a73c3fbd5eb730ca6866f2de8f09ba273d73e7a91731ca90ae79

SHA512
3decb9123dccef7da39cb2c51ba44b30fc79d68b9192b1e9fec95d3b19d2e77de593bfd6c2601718dc975148608ec21bfe047d103db1ba12fb1f2f954ea3de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Mswgoudnv.exe

Filesize
924KB

MD5
de64bb0f39113e48a8499d3401461cf8

SHA1
8d78c2d4701e4596e87e3f09adde214a2a2033e8

SHA256
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

SHA512
35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\UpdateSSSS.exe

Filesize
565KB

MD5
9bd3fecfb842b3d4d7f02500e78211b2

SHA1
9687e3b7ca67baf2a82f76919d2b254dedc1e762

SHA256
604fa32b76dbe266da3979b7a49e3100301da56f0b58c13041ab5febe55354d2

SHA512
a4e522a8c057ad4443afededb93c66a5a8a085d6c5c677b917c626b3c20f3f40672501faa37149feb193228cea0901f77b7ff3d90044d7781ae510a498b9cc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cock.exe

Filesize
1.2MB

MD5
bd909fb2282ec2e4a11400157c33494a

SHA1
ab693a29a38b705be8c3b29172c6ac1374463f62

SHA256
9941dc8857ef1b6ffc86f88bd755789ded1b42c6aead836e88466d97bb1db392

SHA512
81857f502dc0a3d922bd74a0fdde3958c05a743c50dc8281b5db74b593a020e5d1d65677e645a2a262bb873c523765ba7274b359ec9eaf7442db7caf5e5fdf28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
132KB

MD5
47a0d90c01b43ed755d1152ffc3a5068

SHA1
d64caae19df907674be77958530253e2f237409b

SHA256
a26182ad8e56a4b616ae2aa516c22a80d8030f08e36d05b13f7438bc3781309d

SHA512
2c60a1fedfa41f8fbc20d37051ae10894043a9a908b48ddcc144a7df396e186d01ecb18569d75355c4a810cbeba815bb8881c498d0c366092f0e6f35d6d14612

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\langla.exe

Filesize
45KB

MD5
24fbdb6554fadafc115533272b8b6ea0

SHA1
8c874f8ba14f9d3e76cf73d27ae8806495f09519

SHA256
1954e0151deb50691b312e7e8463bd2e798f78ff0d030ce1ef889e0207cc03aa

SHA512
155853c0d8706b372ba9bc6bce5eb58e8bd332fd30900b26c4f3cc7d1e769259bc1c79eeca1ad72830cee06b79500cea12636b865bf8b571c4a790fbb1bbd7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICONE.CUR

Filesize
326B

MD5
dbd44c4ac444d2e0448ec0ad24ec0698

SHA1
371d786818f0a4242d2fced0c83412caa6c17a28

SHA256
bf79bffdba70f456cb406fd1ece8652750363b94188510b5d73f36c8ea6e7ae9

SHA512
e8025ceb6ecb76b480f279d7e42deec8b96c0c1d64cfa3b7af1e68320281f0f2a9b886afc16aade4e2178878970c4909fd650c1dc3c37594d040141ed0ab113f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agzcf3jo.1st.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3.exe

Filesize
5.6MB

MD5
c20090d6f18f2d07459c62262e3e0317

SHA1
594379a8d0d5f90766da73437ae93d6ef1d9b363

SHA256
f1278210e1f14ebe545847b88ffd5cd048171c1f532f9f3504e3ba8071a6949d

SHA512
c2db39f863c86676afc35df61e08b2bb906211b77b7163eb190ac5b71393fadc1867f300c5c5a27b38fb33fd59b02a5c67d4d078ca77de1b68287edb04ea02a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA8F.tmp.bat

Filesize
148B

MD5
bc11eb6157e67be110be37dbb4a6bf2e

SHA1
bd7e924b76f1a29406b36a5f2ea9bfe90c64719c

SHA256
acb139817cd8046ba8727d7cc3ef539396c5eea53ce1a43ee64e5c85b74578d9

SHA512
69dd95af6bc82305c34c8667d181753867a11e1833063e66cd802887a5979c3ea38a174896987d69d45051d0d93b825178925132279f57c7138beca05e10b88b

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
281KB

MD5
2e42e84ba54eae8e7fff1d956910889f

SHA1
5c8455a637b815d69452469643bbdd0f641c6ade

SHA256
20c149e5dd1a7a3484bc0d68c973c07daa065fb9a3babb985094801b10a4983b

SHA512
9acca40cc4a2bd7417e37c36b3d7a8343f9e06b3ed17e8f716e613a0067d120e5cd685f78848d24bb4daa385b21c613faa2ac04e42959baea0b411dbc5dfabfb

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
298KB

MD5
9e32034415b90875131ce054f3f4f09e

SHA1
13e10bb1b7d350cb88f141c2bc2960a7ed1bb36e

SHA256
21eb12aa7aaa294ae3580c87e69fdf19265b161e9b6c3be713ddd2b6ab52c2d3

SHA512
5a9a6787098e6dde1880ee8e4cc387741897cf0658806845f1e4a098da7006e80c60d221c753c4988f778b3346d6e94ad820a600638d522af95e3b8d9a0d818d

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
299KB

MD5
95968ac6c3b1de0a1d62d13e3bb584a5

SHA1
9ad0a29314a6848704440717c0e3f6c360c02ce1

SHA256
3f83129e533098b34b726dab12fe786c780ac6bbbd927d9ac8f4643a2f8ccbc9

SHA512
4823b61eaf546ab654ebe46c277acdbc8312e76923a234879c0c8d83195a34e1d62557d1f4d22dfb66b7cb73bd0fcd9b8f873f4dd166f263bdfdd84f93591876

Download Submit
memory/216-11-0x00007FF6D9FF0000-0x00007FF6DA028000-memory.dmp

Filesize
224KB

Download
memory/684-55-0x0000000000DC0000-0x0000000000F43000-memory.dmp

Filesize
1.5MB

Download
memory/684-58-0x0000000000DC0000-0x0000000000F43000-memory.dmp

Filesize
1.5MB

Download
memory/748-34-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/748-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/748-1-0x00000000000E0000-0x00000000000E8000-memory.dmp

Filesize
32KB

Download
memory/748-2-0x0000000004AF0000-0x0000000004B8C000-memory.dmp

Filesize
624KB

Download
memory/748-3-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/748-33-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/1524-141-0x0000000005560000-0x000000000563E000-memory.dmp

Filesize
888KB

Download
memory/1524-174-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-1651-0x0000000005800000-0x0000000005854000-memory.dmp

Filesize
336KB

Download
memory/1524-1239-0x00000000056C0000-0x0000000005718000-memory.dmp

Filesize
352KB

Download
memory/1524-1240-0x0000000005720000-0x000000000576C000-memory.dmp

Filesize
304KB

Download
memory/1524-144-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-145-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-147-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-149-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-151-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-153-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-155-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-157-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-139-0x0000000000AF0000-0x0000000000BDE000-memory.dmp

Filesize
952KB

Download
memory/1524-140-0x0000000005480000-0x000000000555C000-memory.dmp

Filesize
880KB

Download
memory/1524-161-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-160-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-180-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-190-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-163-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-198-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-196-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-194-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-192-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-189-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-186-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-184-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-183-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-176-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-166-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-172-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-169-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-178-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1524-167-0x0000000005560000-0x0000000005638000-memory.dmp

Filesize
864KB

Download
memory/1816-61-0x0000000007CD0000-0x0000000007DDA000-memory.dmp

Filesize
1.0MB

Download
memory/1816-60-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

Filesize
72KB

Download
memory/1816-62-0x0000000007C20000-0x0000000007C5C000-memory.dmp

Filesize
240KB

Download
memory/1816-63-0x0000000005190000-0x00000000051DC000-memory.dmp

Filesize
304KB

Download
memory/1816-59-0x0000000008140000-0x0000000008758000-memory.dmp

Filesize
6.1MB

Download
memory/1816-57-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2008-98-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2196-27-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/2196-28-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2196-25-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2196-30-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2196-26-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/2196-32-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2196-29-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/2196-24-0x0000000000980000-0x0000000000A3C000-memory.dmp

Filesize
752KB

Download
memory/3484-47-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/3484-46-0x0000000000EF0000-0x00000000014FA000-memory.dmp

Filesize
6.0MB

Download
memory/3656-86-0x000001E1354B0000-0x000001E135A46000-memory.dmp

Filesize
5.6MB

Download
memory/3660-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5168-4013-0x000001F4408C0000-0x000001F4408E2000-memory.dmp

Filesize
136KB

Download
memory/5684-1388-0x00000000003D0000-0x0000000000464000-memory.dmp

Filesize
592KB

Download
memory/5944-1396-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download