sality | 1bf3d70fa4ee741c07e7aef36ffc609896940d72285b548914841daab5554706

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "c:\\windows\\system32\\drivers\\mr.exe"	explorer.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	Au_.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\drivers\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\SysWOW64\drivers\mr.exe	explorer.exe

Deletes itself 1 IoCs

pid	Process
2464	Au_.exe

Executes dropped EXE 18 IoCs

pid	Process
2160	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
2464	Au_.exe
2752	icsys.icn.exe
2908	explorer.exe
2852	spoolsv.exe
1924	explorer.exe
2996	spoolsv.exe
2524	explorer.exe
2180	spoolsv.exe
1728	spoolsv.exe
2972	explorer.exe
1660	spoolsv.exe
1376	explorer.exe
2172	spoolsv.exe
2516	explorer.exe
2512	spoolsv.exe
1700	explorer.exe
756	spoolsv.exe

Loads dropped DLL 29 IoCs

pid	Process
2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
2160	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
2752	icsys.icn.exe
2752	icsys.icn.exe
2908	explorer.exe
2908	explorer.exe
2852	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
2996	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
1728	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
1660	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
2172	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
2512	spoolsv.exe
2908	explorer.exe
2908	explorer.exe
756	spoolsv.exe

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Au_.exe
File opened (read-only)	\??\E:	Au_.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2160-14-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-21-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2464-61-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-63-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-167-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-166-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-170-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-151-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-62-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-49-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-47-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-54-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-50-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-48-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2464-46-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2160-20-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-18-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-19-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2464-38-0x0000000001D70000-0x0000000002DFE000-memory.dmp	upx
behavioral1/memory/2160-17-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-16-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-28-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-15-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx
behavioral1/memory/2160-12-0x0000000001E00000-0x0000000002E8E000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SYSTEM.INI	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Au_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016db5-6.dat	nsis_installer_1
behavioral1/files/0x0008000000016db5-6.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2464	Au_.exe
2752	icsys.icn.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe
2908	explorer.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe
Token: SeDebugPrivilege	2464	Au_.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
2752	icsys.icn.exe
2752	icsys.icn.exe
2908	explorer.exe
2908	explorer.exe
2852	spoolsv.exe
2852	spoolsv.exe
1924	explorer.exe
1924	explorer.exe
2908	explorer.exe
2908	explorer.exe
2996	spoolsv.exe
2996	spoolsv.exe
2524	explorer.exe
2524	explorer.exe
2180	spoolsv.exe
2180	spoolsv.exe
1728	spoolsv.exe
1728	spoolsv.exe
2972	explorer.exe
2972	explorer.exe
1660	spoolsv.exe
1660	spoolsv.exe
1376	explorer.exe
1376	explorer.exe
2172	spoolsv.exe
2172	spoolsv.exe
2516	explorer.exe
2516	explorer.exe
2512	spoolsv.exe
2512	spoolsv.exe
1700	explorer.exe
1700	explorer.exe
756	spoolsv.exe
756	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2160	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2160	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2160	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2160	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2464	2160	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	31
PID 2160 wrote to memory of 2464	2160	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	31
PID 2160 wrote to memory of 2464	2160	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	31
PID 2160 wrote to memory of 2464	2160	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	31
PID 2384 wrote to memory of 2752	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2752	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2752	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	32
PID 2384 wrote to memory of 2752	2384	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	32
PID 2464 wrote to memory of 1112	2464	Au_.exe	19
PID 2464 wrote to memory of 1160	2464	Au_.exe	20
PID 2464 wrote to memory of 1196	2464	Au_.exe	21
PID 2464 wrote to memory of 1496	2464	Au_.exe	25
PID 2464 wrote to memory of 2384	2464	Au_.exe	29
PID 2464 wrote to memory of 2384	2464	Au_.exe	29
PID 2464 wrote to memory of 2752	2464	Au_.exe	32
PID 2464 wrote to memory of 2752	2464	Au_.exe	32
PID 2752 wrote to memory of 2908	2752	icsys.icn.exe	33
PID 2752 wrote to memory of 2908	2752	icsys.icn.exe	33
PID 2752 wrote to memory of 2908	2752	icsys.icn.exe	33
PID 2752 wrote to memory of 2908	2752	icsys.icn.exe	33
PID 2908 wrote to memory of 2852	2908	explorer.exe	34
PID 2908 wrote to memory of 2852	2908	explorer.exe	34
PID 2908 wrote to memory of 2852	2908	explorer.exe	34
PID 2908 wrote to memory of 2852	2908	explorer.exe	34
PID 2852 wrote to memory of 1924	2852	spoolsv.exe	59
PID 2852 wrote to memory of 1924	2852	spoolsv.exe	59
PID 2852 wrote to memory of 1924	2852	spoolsv.exe	59
PID 2852 wrote to memory of 1924	2852	spoolsv.exe	59
PID 2908 wrote to memory of 1280	2908	explorer.exe	36
PID 2908 wrote to memory of 1280	2908	explorer.exe	36
PID 2908 wrote to memory of 1280	2908	explorer.exe	36
PID 2908 wrote to memory of 1280	2908	explorer.exe	36
PID 2908 wrote to memory of 2996	2908	explorer.exe	37
PID 2908 wrote to memory of 2996	2908	explorer.exe	37
PID 2908 wrote to memory of 2996	2908	explorer.exe	37
PID 2908 wrote to memory of 2996	2908	explorer.exe	37
PID 2996 wrote to memory of 2524	2996	spoolsv.exe	38
PID 2996 wrote to memory of 2524	2996	spoolsv.exe	38
PID 2996 wrote to memory of 2524	2996	spoolsv.exe	38
PID 2996 wrote to memory of 2524	2996	spoolsv.exe	38
PID 2908 wrote to memory of 2180	2908	explorer.exe	39
PID 2908 wrote to memory of 2180	2908	explorer.exe	39
PID 2908 wrote to memory of 2180	2908	explorer.exe	39
PID 2908 wrote to memory of 2180	2908	explorer.exe	39
PID 2908 wrote to memory of 1728	2908	explorer.exe	40
PID 2908 wrote to memory of 1728	2908	explorer.exe	40
PID 2908 wrote to memory of 1728	2908	explorer.exe	40
PID 2908 wrote to memory of 1728	2908	explorer.exe	40
PID 1728 wrote to memory of 2972	1728	spoolsv.exe	42
PID 1728 wrote to memory of 2972	1728	spoolsv.exe	42
PID 1728 wrote to memory of 2972	1728	spoolsv.exe	42
PID 1728 wrote to memory of 2972	1728	spoolsv.exe	42
PID 2908 wrote to memory of 1660	2908	explorer.exe	43
PID 2908 wrote to memory of 1660	2908	explorer.exe	43
PID 2908 wrote to memory of 1660	2908	explorer.exe	43
PID 2908 wrote to memory of 1660	2908	explorer.exe	43
PID 1660 wrote to memory of 1376	1660	spoolsv.exe	44
PID 1660 wrote to memory of 1376	1660	spoolsv.exe	44
PID 1660 wrote to memory of 1376	1660	spoolsv.exe	44
PID 1660 wrote to memory of 1376	1660	spoolsv.exe	44

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2384
- - \??\c:\users\admin\appdata\local\temp\da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
    c:\users\admin\appdata\local\temp\da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\admin\appdata\local\temp\
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Deletes itself
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2464
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2744
- - C:\Users\Admin\AppData\Roaming\icsys.icn.exe
    C:\Users\Admin\AppData\Roaming\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Boot or Logon Autostart Execution: Active Setup
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2908
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
    - - C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        5⤵
        
        PID:1280
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2524
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2972
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1376
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2172
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2516
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2512
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1700
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:756
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2396
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3056
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2668
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1428
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2420
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2040
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1924
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1652
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2648
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1940
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2832
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1612
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2320
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1972
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2400
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1144
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2012
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:340
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2416
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:392
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:980
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:924
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2656
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2200
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2356
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1824
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:684
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1840
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2164
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2376
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2696
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2160
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2308
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2956
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2848
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2320
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1812
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2624
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1304
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2364
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1272
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2616
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:832
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2516
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:684
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1136
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1784
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:880
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2340
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2696
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2076
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2728
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2668
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1264
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1288
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2764
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1912
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2580
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1972
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1980
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1796
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1756
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2784
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1088
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:800
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1864
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1284
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:544
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:740
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1876
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:480
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1784
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1840
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1124
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1424
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2340
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1592
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1652
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2868
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:988
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2668
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2420
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2708
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2308
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1848
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1580
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2268
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1776
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:576
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2956
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1712
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:440
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:616
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:372
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2168
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2792
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2152
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1984
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2436
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:392
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:272
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:832
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1284
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1804
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:740
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1480
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2680
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2072
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2428
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2388
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1748
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2264
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2572
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1592
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:752
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2392
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2796
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1584
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1648
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:276
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1640
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2904
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:904
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2708
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1252
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1536
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1732
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1644
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2504
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2748
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2260
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:372
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2468
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2860
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3028
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2792
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2720
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1976
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2128
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:872
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1324
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:444
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1956
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:596
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:924
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1284
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:740
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1052
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1876
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1136
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1232
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2696
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3056
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1584
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:988
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:276
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2936
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2904
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3064
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2708
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1476
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3024
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1776
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2764
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2604
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:568
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2884
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2272
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:292
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2640
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:352
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1700
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2772
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2960
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1972
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:980
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2292
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2972
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2476
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1864
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1480
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2536
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2364
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1744
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2388
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1840
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3036
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1748
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2696
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2076
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2336
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1668
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1348
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:664
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2868
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2668
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2936
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:904
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2448
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2948
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1940
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3024
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1032
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2872
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2800
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:616
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2168
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3028
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2644
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:296
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2960
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2624
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2920
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1756
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1728
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2412
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:444
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1332
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:924
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2516
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2136
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2352
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:680
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2940
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1592
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:752
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2824
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:856
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2196
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2296
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1772
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:868
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1616
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2708
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2648
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1476
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1644
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2888
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2956
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2788
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2640
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2924
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:352
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2720
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1984
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2624
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:872
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2944
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1368
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1956
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2656
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2616
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3048
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1548
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2316
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2364
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:684
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2136
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2064
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2696
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1400
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2008
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2336
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2196
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1924
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2296
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1848
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2268
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2648
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2208
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1644
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1776
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2872
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2840
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:616
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1852
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3060
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2788
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2580
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2640
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2720
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1976
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1704
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2104
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2176
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2304
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2756
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2656
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:820
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:892
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:316
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2108
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2184
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2316
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2140
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2360
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2412
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1220
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1748
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1356
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2728
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1652
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2796
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1584
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2004
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2196
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2332
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:868
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2268
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2708
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1916
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1736
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:372
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2468
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2788
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1056
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2772
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1976
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1680
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2416
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2424
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2168
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2128
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1304
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:272
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:544
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1288
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:892
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2536
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1224
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2364
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1424
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2000
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2704
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2392
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2396
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2336
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1860
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2608
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2004
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2904
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1848
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:868
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:576
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1776
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2888
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:440
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2980
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2236
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1736
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2960
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2944
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:800
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2972
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2356
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:924
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1824
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1288
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2536
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1692
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2316
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2140
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2008
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2736
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:316
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2420
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:988
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2612
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2456
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1848
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1204
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1776
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2840
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1732
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2816
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1912
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1736
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2640
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:884
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:296
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1428
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2944
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2168
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1804
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2164
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:924
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:740
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1052
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:860
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2548
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2376
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2000
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:752
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1652
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:756
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1028
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2824
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2408
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2796
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:880

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry