sality | 1bf3d70fa4ee741c07e7aef36ffc609896940d72285b548914841daab5554706

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies firewall policy service 3 TTPs 9 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	Au_.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 3 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Windows security bypass 2 TTPs 18 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "c:\\windows\\system32\\drivers\\mr.exe"	explorer.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	Au_.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	explorer.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\drivers\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\SysWOW64\drivers\mr.exe	explorer.exe

Deletes itself 1 IoCs

pid	Process
3260	Au_.exe

Executes dropped EXE 64 IoCs

pid	Process
3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
3260	Au_.exe
1320	icsys.icn.exe
2856	explorer.exe
3540	spoolsv.exe
3356	explorer.exe
3128	spoolsv.exe
3736	explorer.exe
3204	spoolsv.exe
2240	explorer.exe
2028	spoolsv.exe
4992	explorer.exe
4896	spoolsv.exe
964	explorer.exe
4496	spoolsv.exe
2776	explorer.exe
2508	spoolsv.exe
1120	explorer.exe
4464	spoolsv.exe
2328	explorer.exe
4132	spoolsv.exe
1124	explorer.exe
3980	spoolsv.exe
3092	explorer.exe
3248	spoolsv.exe
2236	explorer.exe
1988	spoolsv.exe
1884	explorer.exe
4092	spoolsv.exe
4184	explorer.exe
1032	spoolsv.exe
2188	explorer.exe
2324	spoolsv.exe
4084	spoolsv.exe
4644	explorer.exe
1484	spoolsv.exe
2340	explorer.exe
2628	spoolsv.exe
2504	explorer.exe
2692	spoolsv.exe
4740	explorer.exe
4972	spoolsv.exe
4892	explorer.exe
1764	spoolsv.exe
4132	explorer.exe
2236	spoolsv.exe
4932	explorer.exe
3920	spoolsv.exe
2464	explorer.exe
1384	spoolsv.exe
4400	explorer.exe
2700	spoolsv.exe
4300	explorer.exe
3296	spoolsv.exe
756	explorer.exe
2644	spoolsv.exe
1912	explorer.exe
60	spoolsv.exe
2024	explorer.exe
3916	spoolsv.exe
3696	explorer.exe
2508	spoolsv.exe
636	explorer.exe
3748	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3260	Au_.exe
3260	Au_.exe

Windows security modification 2 TTPs 21 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	Au_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	Au_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Au_.exe
File opened (read-only)	\??\G:	Au_.exe
File opened (read-only)	\??\E:	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3260 set thread context of 2064	3260	Au_.exe	103
PID 3260 set thread context of 3744	3260	Au_.exe	113

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3576-15-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-22-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-16-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-32-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-25-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-17-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-14-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-13-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3576-12-0x0000000002280000-0x000000000330E000-memory.dmp	upx
behavioral2/memory/3260-203-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-202-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-199-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-205-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-204-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-201-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-206-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-198-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-196-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-221-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-222-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-234-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-248-0x0000000006350000-0x00000000073DE000-memory.dmp	upx
behavioral2/memory/3260-251-0x0000000006350000-0x00000000073DE000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000e000000023b96-7.dat	nsis_installer_1
behavioral2/files/0x000e000000023b96-7.dat	nsis_installer_2

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
1320	icsys.icn.exe
1320	icsys.icn.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
3260	Au_.exe
3260	Au_.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe
2856	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Token: SeDebugPrivilege	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
1320	icsys.icn.exe
1320	icsys.icn.exe
2856	explorer.exe
2856	explorer.exe
3540	spoolsv.exe
3540	spoolsv.exe
3356	explorer.exe
3356	explorer.exe
2856	explorer.exe
2856	explorer.exe
3128	spoolsv.exe
3128	spoolsv.exe
3736	explorer.exe
3736	explorer.exe
3204	spoolsv.exe
3204	spoolsv.exe
2240	explorer.exe
2240	explorer.exe
2028	spoolsv.exe
2028	spoolsv.exe
4992	explorer.exe
4992	explorer.exe
4896	spoolsv.exe
4896	spoolsv.exe
964	explorer.exe
964	explorer.exe
4496	spoolsv.exe
4496	spoolsv.exe
2776	explorer.exe
2776	explorer.exe
2508	spoolsv.exe
2508	spoolsv.exe
1120	explorer.exe
1120	explorer.exe
4464	spoolsv.exe
4464	spoolsv.exe
2328	explorer.exe
2328	explorer.exe
4132	spoolsv.exe
4132	spoolsv.exe
1124	explorer.exe
1124	explorer.exe
3980	spoolsv.exe
3980	spoolsv.exe
3092	explorer.exe
3092	explorer.exe
3248	spoolsv.exe
3248	spoolsv.exe
2236	explorer.exe
2236	explorer.exe
1988	spoolsv.exe
1988	spoolsv.exe
1884	explorer.exe
1884	explorer.exe
4092	spoolsv.exe
4092	spoolsv.exe
4184	explorer.exe
4184	explorer.exe
1032	spoolsv.exe
1032	spoolsv.exe
2188	explorer.exe
2188	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3576	3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	83
PID 3488 wrote to memory of 3576	3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	83
PID 3488 wrote to memory of 3576	3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	83
PID 3576 wrote to memory of 760	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	8
PID 3576 wrote to memory of 768	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	9
PID 3576 wrote to memory of 316	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	13
PID 3576 wrote to memory of 2476	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	42
PID 3576 wrote to memory of 2492	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	43
PID 3576 wrote to memory of 2616	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	44
PID 3576 wrote to memory of 3492	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	56
PID 3576 wrote to memory of 3656	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	57
PID 3576 wrote to memory of 3840	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	58
PID 3576 wrote to memory of 3932	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	59
PID 3576 wrote to memory of 3992	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	60
PID 3576 wrote to memory of 4076	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	61
PID 3576 wrote to memory of 4164	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	62
PID 3576 wrote to memory of 4544	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	74
PID 3576 wrote to memory of 4260	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	76
PID 3576 wrote to memory of 4672	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	81
PID 3576 wrote to memory of 3488	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	82
PID 3576 wrote to memory of 3488	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	82
PID 3576 wrote to memory of 3260	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	84
PID 3576 wrote to memory of 3260	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	84
PID 3576 wrote to memory of 3260	3576	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe	84
PID 3488 wrote to memory of 1320	3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	85
PID 3488 wrote to memory of 1320	3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	85
PID 3488 wrote to memory of 1320	3488	da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe	85
PID 1320 wrote to memory of 2856	1320	icsys.icn.exe	86
PID 1320 wrote to memory of 2856	1320	icsys.icn.exe	86
PID 1320 wrote to memory of 2856	1320	icsys.icn.exe	86
PID 2856 wrote to memory of 3540	2856	explorer.exe	87
PID 2856 wrote to memory of 3540	2856	explorer.exe	87
PID 2856 wrote to memory of 3540	2856	explorer.exe	87
PID 3540 wrote to memory of 3356	3540	spoolsv.exe	88
PID 3540 wrote to memory of 3356	3540	spoolsv.exe	88
PID 3540 wrote to memory of 3356	3540	spoolsv.exe	88
PID 2856 wrote to memory of 3128	2856	explorer.exe	89
PID 2856 wrote to memory of 3128	2856	explorer.exe	89
PID 2856 wrote to memory of 3128	2856	explorer.exe	89
PID 3128 wrote to memory of 3736	3128	spoolsv.exe	90
PID 3128 wrote to memory of 3736	3128	spoolsv.exe	90
PID 3128 wrote to memory of 3736	3128	spoolsv.exe	90
PID 2856 wrote to memory of 3204	2856	explorer.exe	91
PID 2856 wrote to memory of 3204	2856	explorer.exe	91
PID 2856 wrote to memory of 3204	2856	explorer.exe	91
PID 3204 wrote to memory of 2240	3204	spoolsv.exe	92
PID 3204 wrote to memory of 2240	3204	spoolsv.exe	92
PID 3204 wrote to memory of 2240	3204	spoolsv.exe	92
PID 2856 wrote to memory of 2028	2856	explorer.exe	93
PID 2856 wrote to memory of 2028	2856	explorer.exe	93
PID 2856 wrote to memory of 2028	2856	explorer.exe	93
PID 2028 wrote to memory of 4992	2028	spoolsv.exe	94
PID 2028 wrote to memory of 4992	2028	spoolsv.exe	94
PID 2028 wrote to memory of 4992	2028	spoolsv.exe	94
PID 2856 wrote to memory of 4896	2856	explorer.exe	95
PID 2856 wrote to memory of 4896	2856	explorer.exe	95
PID 2856 wrote to memory of 4896	2856	explorer.exe	95
PID 4896 wrote to memory of 964	4896	spoolsv.exe	96
PID 4896 wrote to memory of 964	4896	spoolsv.exe	96
PID 4896 wrote to memory of 964	4896	spoolsv.exe	96
PID 2856 wrote to memory of 4496	2856	explorer.exe	97
PID 2856 wrote to memory of 4496	2856	explorer.exe	97
PID 2856 wrote to memory of 4496	2856	explorer.exe	97
PID 4496 wrote to memory of 2776	4496	spoolsv.exe	98

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Au_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:768

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2492

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2616

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\da52f92e0dedf2b8786c1ececdc7a3d0_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3488
- - \??\c:\users\admin\appdata\local\temp\da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
    c:\users\admin\appdata\local\temp\da52f92e0dedf2b8786c1ececdc7a3d0_jaffacakes118.exe
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=c:\users\admin\appdata\local\temp\
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Checks whether UAC is enabled
      Enumerates connected drives
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      System policy modification
      PID:3260
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        Modifies registry class
        
        PID:2064
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        Modifies registry class
        
        PID:3744
- - C:\Users\Admin\AppData\Roaming\icsys.icn.exe
    C:\Users\Admin\AppData\Roaming\icsys.icn.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Boot or Logon Autostart Execution: Active Setup
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2856
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3356
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3128
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3736
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2240
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2776
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2508
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1120
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4464
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2328
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4132
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1124
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3980
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3092
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2236
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1988
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1884
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4184
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1032
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2188
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:2324
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:4084
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:4644
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:2340
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:2628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2504
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:2692
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4740
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:4972
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4892
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:1764
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:4132
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2236
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:4932
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3920
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2464
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:1384
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:4400
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:2700
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:4300
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:3296
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:2644
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:1912
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:60
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        
        PID:2024
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3916
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        Executes dropped EXE
        
        PID:3748
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4464
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:344
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:916
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3548
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1600
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3452
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1384
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1784
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4448
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3272
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2180
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4460
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1088
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1212
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4984
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4220
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4432
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3440
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3024
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3252
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3176
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5060
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2696
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1620
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1820
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3544
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3332
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1212
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4608
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:840
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1076
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4440
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:952
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2344
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4932
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4120
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1416
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1476
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4228
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2016
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3280
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2372
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2976
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2612
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:212
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4404
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4460
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3544
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4496
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3312
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4776
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:344
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:840
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1572
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:952
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3980
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3860
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2584
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3068
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3848
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2580
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4400
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1384
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1116
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2436
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:756
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3940
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4448
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:212
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2512
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1348
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4880
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1852
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1420
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:632
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1072
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1180
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3244
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:648
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1168
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3580
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4944
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1020
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:540
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4336
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:392
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2976
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3176
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2644
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1952
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1620
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2504
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1348
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2624
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:800
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1108
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1420
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4564
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1740
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3504
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:524
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1104
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3440
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1404
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4336
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2436
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2020
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1812
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1976
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3588
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4516
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4136
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2284
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2624
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1616
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2888
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2128
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1740
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1192
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:956
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4120
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4288
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2580
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4228
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3020
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3672
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3272
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3592
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3036
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4108
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5096
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4568
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2532
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1880
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1908
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:660
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4196
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4456
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:720
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4932
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2236
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2520
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2584
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2272
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3536
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:408
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1116
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2144
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2436
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4056
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5068
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4548
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4496
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4996
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3124
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1108
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1716
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4380
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1908
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:840
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2888
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4440
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1192
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4632
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:404
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4120
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1384
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2332
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2016
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4280
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4772
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2652
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2776
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3892
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3036
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1176
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1840
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3124
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1048
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1724
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1168
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4776
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:648
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4552
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:956
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4028
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1252
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4120
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3692
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:220
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:64
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4960
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:756
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4728
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4668
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:724
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4848
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2652
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4880
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1952
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4996
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:800
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1616
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3124
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2356
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4780
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3720
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:840
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2248
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4940
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4552
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1196
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4028
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2236
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1796
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3440
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3848
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3576
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4604
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2596
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2228
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2772
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3588
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4064
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3752
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1460
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4608
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3036
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:228
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5040
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:632
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:444
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1740
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2548
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4632
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1296
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1192
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4028
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3580
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2236
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1404
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4600
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3252
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3940
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4448
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4208
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2436
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4548
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5068
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4516
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3240
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1572
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:844
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2604
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4380
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:632
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1072
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4932
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3820
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3800
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:524
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3580
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1432
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2580
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4424
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3076
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:756
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2060
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4576
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1092
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2504
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3588
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4568
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3752
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2624
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4172
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4352
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4996
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5040
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1616
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3296
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1448
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3548
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4176
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3720
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5052
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1016
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4944
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3800
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3692
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2820
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2580
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:216
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2016
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4192
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3728
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2596
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4728
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3264
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1484
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3188
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1348
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2284
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2368
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1480
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2356
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1924
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2604
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4744
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1076
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4776
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4596
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3328
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3452
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4552
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1196
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4888
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2236
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4960
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3280
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3940
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1524
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:116
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3760
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1672
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3480
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2516
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4136
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4568
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5036
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2624
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3036
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1880
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1048
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:800
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3124
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1488
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1732
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1908
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2680
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2412
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4632
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2888
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4432
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4120
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3396
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4400
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2332
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2236
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3252
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4764
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4140
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:116
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4576
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2652
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2516
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2180
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1840
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1460
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2624
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1880
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4036
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:800
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:372
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1488
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2604
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1448
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2128
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2412
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4220
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4932
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4552
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1520
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:404
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2372
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:780
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3848
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4668
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4184
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2608
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4192
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1524
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1960
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4056
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3480
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1120
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2284
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2960
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3696
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1924
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5060
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4744
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3296
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1724
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1072
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4556
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3328
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3548
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4432
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3504
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4888
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1972
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4988
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:220
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1792
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2236
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2524
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4960
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2020
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4764
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2060
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1388
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4628
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3200
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1348
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:716
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1460
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1200
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2356
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1852
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3084
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4176
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2888
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4596
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4028
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3548
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3820
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3440
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3780
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:392
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3576
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1984
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2704
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2608
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2612
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3188
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3368
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1388
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4136
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4912
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:992
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1608
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4408
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2304
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1976
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1124
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1852
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4176
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4556
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4432
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1296
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4888
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4988
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:392
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3560
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3580
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2704
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4540
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1004
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4424
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1820
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3588
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1480
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1184
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4172
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:716
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3140
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:724
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4408
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:508
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:660
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3860
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2532
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2412
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4264
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:648
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4496
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4632
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3068
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1520
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3504
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3692
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2976
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2644
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3768
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2704
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1004
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3332
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2504
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2180
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1184
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1348
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2624
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1048
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1616
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5096
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4408
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1976
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3084
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2532
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1380
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3244
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1072
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2452
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4944
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4552
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3532
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4512
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2700
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4288
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:216
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2524
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2564
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3848
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4728
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:636
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3760
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2516
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4108
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3752
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2996
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4172
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1420
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:368
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3432
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4996
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4340
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1724
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1852
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3084
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4176
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3452
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1880
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2576
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1520
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4536
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2820
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:220
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1476
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3636
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4668
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2332
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2608
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4184
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:524
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2436
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1928
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4568
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1004
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4516
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2836
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2180
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1620
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1348
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1952
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1732
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2960
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5096
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1976
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4196
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:660
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3680
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2412
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3204
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2888
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4496
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4932
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1972
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4632
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:588
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4152
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:788
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3544
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4772
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4564
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4604
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3636
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1164
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4600
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2612
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2344
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3508
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4576
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5100
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3480
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1920
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1480
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2284
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4064
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1620
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4172
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1184
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1076
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:844
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4964
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3860
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1672
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3084
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2532
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3452
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1612
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1168
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4220
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4120
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3396
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3724
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3928
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4888
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4836
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5028
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3576
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4336
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4448
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3176
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3264
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3272
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2276
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3252
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2344
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2060
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5068
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3332
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3480
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:408
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2768
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2996
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4404
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1788
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3140
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:992
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:800
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4964
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:508
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3860
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3296
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2604
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3084
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1072
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3452
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1304
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2576
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4596
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3532
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2248
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2700
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3784
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1976
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:220
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5028
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4564
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3336
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:3272
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2612
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:636
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2436
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1104
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1848
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:5068
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4516
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:408
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4436
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2996
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3036
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1924
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3080
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:992
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1200
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:800
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1452
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:508
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1852
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2312
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2680
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4780
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1044
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1072
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4556
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1304
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3552
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4596
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1404
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2248
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3780
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1676
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4988
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4280
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4224
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2644
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4668
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4228
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:2676
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2044
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3068
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2612
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4628
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2436
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:1388
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:1848
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3200
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:4896
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:4064
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:8
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:5072
    - - \??\c:\windows\SysWOW64\drivers\spoolsv.exe
        
        c:\windows\system32\drivers\spoolsv.exe
        5⤵
        
        PID:2020
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3840

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3932

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4164

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4544

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4260

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3324

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry