The program creates the file C:\Windows\System32\Mlwx486.sys. You can use procmon or another dynamic monitoring tool to see the file being created, but you cannot see the file on disk because it is hidden.
The program has a kernel component. It is stored in the file’s resource section, and then written to disk and loaded into the kernel as a service.
The program is a rootkit designed to hide files. It uses SSDT hooking to overwrite the entry
NtQueryDirectoryFile, which it uses to prevent the display of
any files beginning with Mlwx (case-sensitive) in directory listings.
Looking at the imports section of this executable, we see imports for
OpenSCManagerA, and ...