593321ca07f9c6121407d4227251d28691586764486667538f93249e865e150e

Analysis

max time kernel
118s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe
Size

112KB
MD5

f8c937177a66c3eec3981b93f560e90a
SHA1

fee4ceae1277c5dddeb47f1931226a60ed357294
SHA256

593321ca07f9c6121407d4227251d28691586764486667538f93249e865e150e
SHA512

0d0e37f8e00cb529a19951e1dee543eabf201212af09013d62a85bddb3c6b625f399e917d20aae97e1cc1e37ac42e299c0b284c4c62d87fe743e1f9130a48f69
SSDEEP

1536:FMf4iKEFXvxKqHsxoLbuxhqb8Cv/661k2DU3gXRvF3I+OgqHsDKEFXvxg+:Fa/XeyPbu6vC6a3IfOgyuXH

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File created	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe
File opened for modification	C:\Windows\SysWOW64\Drivers\hideproc.sys	msbootlog.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	msbootlog.exe

Executes dropped EXE 64 IoCs

pid	Process
1396	msbootlog.exe
5048	msbootlog.exe
4172	msbootlog.exe
1676	msbootlog.exe
4852	msbootlog.exe
2208	msbootlog.exe
4652	msbootlog.exe
4364	msbootlog.exe
1764	msbootlog.exe
1560	msbootlog.exe
2656	msbootlog.exe
2348	msbootlog.exe
4400	msbootlog.exe
2568	msbootlog.exe
4440	msbootlog.exe
1844	msbootlog.exe
3452	msbootlog.exe
4172	msbootlog.exe
3000	msbootlog.exe
4944	msbootlog.exe
2152	msbootlog.exe
2228	msbootlog.exe
2000	msbootlog.exe
1436	msbootlog.exe
4112	msbootlog.exe
2592	msbootlog.exe
2588	msbootlog.exe
2840	msbootlog.exe
1608	msbootlog.exe
1424	msbootlog.exe
3452	msbootlog.exe
2156	msbootlog.exe
3636	msbootlog.exe
5008	msbootlog.exe
2532	msbootlog.exe
728	msbootlog.exe
3912	msbootlog.exe
2656	msbootlog.exe
1356	msbootlog.exe
3376	msbootlog.exe
1440	msbootlog.exe
3860	msbootlog.exe
5048	msbootlog.exe
1616	msbootlog.exe
2244	msbootlog.exe
3452	msbootlog.exe
2612	msbootlog.exe
2780	msbootlog.exe
2860	msbootlog.exe
2228	msbootlog.exe
2076	msbootlog.exe
1852	msbootlog.exe
4304	msbootlog.exe
1556	msbootlog.exe
4240	msbootlog.exe
2568	msbootlog.exe
3112	msbootlog.exe
4440	msbootlog.exe
4688	msbootlog.exe
4424	msbootlog.exe
4324	msbootlog.exe
2552	msbootlog.exe
4132	msbootlog.exe
4980	msbootlog.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msbootlog.exe	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msbootlog.exe	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\setuplog.txt	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dfinstall.txt	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
768	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe
1396	msbootlog.exe
5048	msbootlog.exe
4172	msbootlog.exe
1676	msbootlog.exe
4852	msbootlog.exe
2208	msbootlog.exe
4652	msbootlog.exe
4364	msbootlog.exe
1764	msbootlog.exe
1560	msbootlog.exe
2656	msbootlog.exe
2348	msbootlog.exe
4400	msbootlog.exe
2568	msbootlog.exe
4440	msbootlog.exe
1844	msbootlog.exe
3452	msbootlog.exe
4172	msbootlog.exe
3000	msbootlog.exe
4944	msbootlog.exe
2152	msbootlog.exe
2228	msbootlog.exe
2000	msbootlog.exe
1436	msbootlog.exe
4112	msbootlog.exe
2592	msbootlog.exe
2588	msbootlog.exe
2840	msbootlog.exe
1608	msbootlog.exe
1424	msbootlog.exe
3452	msbootlog.exe
2156	msbootlog.exe
3636	msbootlog.exe
5008	msbootlog.exe
2532	msbootlog.exe
728	msbootlog.exe
3912	msbootlog.exe
2656	msbootlog.exe
1356	msbootlog.exe
3376	msbootlog.exe
1440	msbootlog.exe
3860	msbootlog.exe
5048	msbootlog.exe
1616	msbootlog.exe
2244	msbootlog.exe
3452	msbootlog.exe
2612	msbootlog.exe
2780	msbootlog.exe
2860	msbootlog.exe
2228	msbootlog.exe
2076	msbootlog.exe
1852	msbootlog.exe
4304	msbootlog.exe
1556	msbootlog.exe
4240	msbootlog.exe
2568	msbootlog.exe
3112	msbootlog.exe
4440	msbootlog.exe
4688	msbootlog.exe
4424	msbootlog.exe
4324	msbootlog.exe
2552	msbootlog.exe
4132	msbootlog.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1396	768	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe	87
PID 768 wrote to memory of 1396	768	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe	87
PID 768 wrote to memory of 1396	768	f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe	87
PID 1396 wrote to memory of 5048	1396	msbootlog.exe	88
PID 1396 wrote to memory of 5048	1396	msbootlog.exe	88
PID 1396 wrote to memory of 5048	1396	msbootlog.exe	88
PID 5048 wrote to memory of 4172	5048	msbootlog.exe	90
PID 5048 wrote to memory of 4172	5048	msbootlog.exe	90
PID 5048 wrote to memory of 4172	5048	msbootlog.exe	90
PID 4172 wrote to memory of 1676	4172	msbootlog.exe	91
PID 4172 wrote to memory of 1676	4172	msbootlog.exe	91
PID 4172 wrote to memory of 1676	4172	msbootlog.exe	91
PID 1676 wrote to memory of 4852	1676	msbootlog.exe	93
PID 1676 wrote to memory of 4852	1676	msbootlog.exe	93
PID 1676 wrote to memory of 4852	1676	msbootlog.exe	93
PID 4852 wrote to memory of 2208	4852	msbootlog.exe	95
PID 4852 wrote to memory of 2208	4852	msbootlog.exe	95
PID 4852 wrote to memory of 2208	4852	msbootlog.exe	95
PID 2208 wrote to memory of 4652	2208	msbootlog.exe	96
PID 2208 wrote to memory of 4652	2208	msbootlog.exe	96
PID 2208 wrote to memory of 4652	2208	msbootlog.exe	96
PID 4652 wrote to memory of 4364	4652	msbootlog.exe	97
PID 4652 wrote to memory of 4364	4652	msbootlog.exe	97
PID 4652 wrote to memory of 4364	4652	msbootlog.exe	97
PID 4364 wrote to memory of 1764	4364	msbootlog.exe	98
PID 4364 wrote to memory of 1764	4364	msbootlog.exe	98
PID 4364 wrote to memory of 1764	4364	msbootlog.exe	98
PID 1764 wrote to memory of 1560	1764	msbootlog.exe	99
PID 1764 wrote to memory of 1560	1764	msbootlog.exe	99
PID 1764 wrote to memory of 1560	1764	msbootlog.exe	99
PID 1560 wrote to memory of 2656	1560	msbootlog.exe	131
PID 1560 wrote to memory of 2656	1560	msbootlog.exe	131
PID 1560 wrote to memory of 2656	1560	msbootlog.exe	131
PID 2656 wrote to memory of 2348	2656	msbootlog.exe	101
PID 2656 wrote to memory of 2348	2656	msbootlog.exe	101
PID 2656 wrote to memory of 2348	2656	msbootlog.exe	101
PID 2348 wrote to memory of 4400	2348	msbootlog.exe	102
PID 2348 wrote to memory of 4400	2348	msbootlog.exe	102
PID 2348 wrote to memory of 4400	2348	msbootlog.exe	102
PID 4400 wrote to memory of 2568	4400	msbootlog.exe	103
PID 4400 wrote to memory of 2568	4400	msbootlog.exe	103
PID 4400 wrote to memory of 2568	4400	msbootlog.exe	103
PID 2568 wrote to memory of 4440	2568	msbootlog.exe	104
PID 2568 wrote to memory of 4440	2568	msbootlog.exe	104
PID 2568 wrote to memory of 4440	2568	msbootlog.exe	104
PID 4440 wrote to memory of 1844	4440	msbootlog.exe	105
PID 4440 wrote to memory of 1844	4440	msbootlog.exe	105
PID 4440 wrote to memory of 1844	4440	msbootlog.exe	105
PID 1844 wrote to memory of 3452	1844	msbootlog.exe	139
PID 1844 wrote to memory of 3452	1844	msbootlog.exe	139
PID 1844 wrote to memory of 3452	1844	msbootlog.exe	139
PID 3452 wrote to memory of 4172	3452	msbootlog.exe	108
PID 3452 wrote to memory of 4172	3452	msbootlog.exe	108
PID 3452 wrote to memory of 4172	3452	msbootlog.exe	108
PID 4172 wrote to memory of 3000	4172	msbootlog.exe	109
PID 4172 wrote to memory of 3000	4172	msbootlog.exe	109
PID 4172 wrote to memory of 3000	4172	msbootlog.exe	109
PID 3000 wrote to memory of 4944	3000	msbootlog.exe	112
PID 3000 wrote to memory of 4944	3000	msbootlog.exe	112
PID 3000 wrote to memory of 4944	3000	msbootlog.exe	112
PID 4944 wrote to memory of 2152	4944	msbootlog.exe	113
PID 4944 wrote to memory of 2152	4944	msbootlog.exe	113
PID 4944 wrote to memory of 2152	4944	msbootlog.exe	113
PID 2152 wrote to memory of 2228	2152	msbootlog.exe	143

C:\Users\Admin\AppData\Local\Temp\f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f8c937177a66c3eec3981b93f560e90a_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\msbootlog.exe
  "C:\Windows\System32\msbootlog.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\msbootlog.exe
    "C:\Windows\System32\msbootlog.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\msbootlog.exe
      "C:\Windows\System32\msbootlog.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4112
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2592
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2588
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2840
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1424
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2156
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5008
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        36⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2532
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:728
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3912
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        41⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3376
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3860
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1616
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3452
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2780
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2228
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        52⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        53⤵
        Drops file in Drivers directory
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4304
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        55⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4240
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3112
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4688
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        61⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4424
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4132
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        65⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        66⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        67⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        68⤵
        
        PID:744
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        69⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        70⤵
        Checks computer location settings
        
        PID:2892
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        71⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        72⤵
        Drops file in Drivers directory
        
        PID:64
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        73⤵
        Checks computer location settings
        
        PID:1504
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        74⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        75⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        76⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        77⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        78⤵
        Checks computer location settings
        
        PID:2244
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        79⤵
        Checks computer location settings
        
        PID:4324
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        80⤵
        
        PID:752
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        81⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        82⤵
        Checks computer location settings
        
        PID:2972
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        83⤵
        Drops file in Drivers directory
        
        PID:2104
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        84⤵
        Drops file in Drivers directory
        
        PID:4028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        85⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:3416
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        86⤵
        Checks computer location settings
        
        PID:2668
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        87⤵
        Checks computer location settings
        
        PID:4504
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        88⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        89⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        90⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:2588
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        91⤵
        Drops file in Drivers directory
        
        PID:2080
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        92⤵
        Drops file in Drivers directory
        
        PID:400
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        93⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        94⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        95⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        96⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        97⤵
        Checks computer location settings
        
        PID:4644
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        98⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        99⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        100⤵
        Checks computer location settings
        
        PID:2624
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        101⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        102⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        103⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        104⤵
        Checks computer location settings
        
        PID:556
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        105⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        106⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        107⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:2360
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        108⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        109⤵
        Checks computer location settings
        
        PID:1608
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        110⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        111⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        112⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        113⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        114⤵
        Drops file in Drivers directory
        
        PID:4884
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        115⤵
        Checks computer location settings
        
        PID:3284
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        116⤵
        Checks computer location settings
        
        PID:2300
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        117⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        118⤵
        
        PID:768
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        119⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        120⤵
        Drops file in Drivers directory
        
        PID:4496
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        121⤵
        Drops file in Drivers directory
        
        PID:1440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        122⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        123⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        124⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        125⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        126⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        127⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        128⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        129⤵
        Checks computer location settings
        
        PID:1248
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        130⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        131⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        132⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        133⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        134⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        135⤵
        Drops file in Drivers directory
        
        PID:768
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        136⤵
        Checks computer location settings
        
        PID:2344
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        137⤵
        Checks computer location settings
        
        PID:1512
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        138⤵
        Drops file in Drivers directory
        
        PID:2748
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        139⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        140⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        141⤵
        
        PID:852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        142⤵
        Checks computer location settings
        
        PID:3516
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        143⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        144⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        145⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        146⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        147⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        148⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        149⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        150⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        151⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        152⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        153⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        154⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        155⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        156⤵
        
        PID:852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        157⤵
        Checks computer location settings
        
        PID:5008
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        158⤵
        Drops file in Drivers directory
        
        PID:1016
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        159⤵
        Drops file in Drivers directory
        
        PID:3680
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        160⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        161⤵
        Drops file in Drivers directory
        
        PID:3812
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        162⤵
        Checks computer location settings
        
        PID:3492
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        163⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        164⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        165⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        166⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        167⤵
        Checks computer location settings
        
        PID:1192
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        168⤵
        Checks computer location settings
        
        PID:4608
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        169⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        170⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        171⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        172⤵
        Checks computer location settings
        
        PID:2484
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        173⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        174⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        175⤵
        Checks computer location settings
        
        PID:4384
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        176⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        177⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        178⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        179⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        180⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        181⤵
        Drops file in Drivers directory
        
        PID:768
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        182⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        183⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        184⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        185⤵
        Drops file in Drivers directory
        
        PID:4568
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        186⤵
        Checks computer location settings
        
        PID:640
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        187⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        188⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        189⤵
        Checks computer location settings
        
        PID:2216
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        190⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        191⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4168
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        192⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        193⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        194⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        195⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        196⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        197⤵
        Drops file in Drivers directory
        
        PID:2596
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        198⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        199⤵
        Checks computer location settings
        
        PID:548
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        200⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        201⤵
        Drops file in Drivers directory
        
        PID:5068
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        202⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:3452
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        203⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        204⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        205⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        206⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        207⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        208⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        209⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        210⤵
        Drops file in Drivers directory
        
        PID:1840
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        211⤵
        Checks computer location settings
        
        PID:4380
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        212⤵
        Drops file in Drivers directory
        
        PID:456
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        213⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        214⤵
        Drops file in Drivers directory
        
        PID:2368
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        215⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        216⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        217⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        218⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        219⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        220⤵
        Checks computer location settings
        
        PID:5068
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        221⤵
        
        PID:684
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        222⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        223⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        224⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        225⤵
        Drops file in Drivers directory
        
        PID:752
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        226⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        227⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        228⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        229⤵
        Drops file in Drivers directory
        
        PID:1084
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        230⤵
        Checks computer location settings
        
        PID:216
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        231⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        232⤵
        
        PID:404
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        233⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        234⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        235⤵
        Checks computer location settings
        
        PID:2844
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        236⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        237⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        238⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        239⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        240⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        241⤵
        Drops file in Drivers directory
        
        PID:1456
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        242⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        243⤵
        Checks computer location settings
        
        PID:3616
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        244⤵
        Drops file in Drivers directory
        
        PID:1708
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        245⤵
        
        PID:464
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        246⤵
        Drops file in Drivers directory
        
        PID:2228
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        247⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        248⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        249⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        250⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        251⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4948
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        252⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:4528
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        253⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        254⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        255⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        256⤵
        Checks computer location settings
        
        PID:2864
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        257⤵
        Drops file in Drivers directory
        
        PID:2244
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        258⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        259⤵
        Drops file in Drivers directory
        
        PID:4008
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        260⤵
        Drops file in Drivers directory
        
        PID:852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        261⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        262⤵
        Drops file in Drivers directory
        
        PID:5112
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        263⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        264⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        265⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        266⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        267⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        268⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        269⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        270⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        271⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        272⤵
        Drops file in Drivers directory
        
        PID:4404
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        273⤵
        Drops file in Drivers directory
        
        PID:2308
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        274⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        275⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        276⤵
        Drops file in Drivers directory
        Checks computer location settings
        
        PID:436
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        277⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        278⤵
        Checks computer location settings
        
        PID:4564
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        279⤵
        Drops file in Drivers directory
        
        PID:2532
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        280⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        281⤵
        Checks computer location settings
        
        PID:1248
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        282⤵
        Drops file in Drivers directory
        
        PID:4876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        283⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        284⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        285⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        286⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        287⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        288⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        289⤵
        Drops file in Drivers directory
        
        PID:3388
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        290⤵
        Checks computer location settings
        
        PID:2876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        291⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        292⤵
        Drops file in Drivers directory
        
        PID:4136
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        293⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        294⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        295⤵
        Drops file in Drivers directory
        
        PID:3056
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        296⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        297⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        298⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        299⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        300⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        301⤵
        
        PID:728
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        302⤵
        
        PID:464
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        303⤵
        
        PID:744
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        304⤵
        Checks computer location settings
        
        PID:1000
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        305⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        306⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        307⤵
        Checks computer location settings
        
        PID:2548
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        308⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        309⤵
        Drops file in Drivers directory
        
        PID:1396
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        310⤵
        Checks computer location settings
        
        PID:2676
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        311⤵
        
        PID:840
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        312⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        313⤵
        Drops file in Drivers directory
        
        PID:3340
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        314⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        315⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        316⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        317⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        318⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        319⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        320⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        321⤵
        Drops file in Drivers directory
        
        PID:5016
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        322⤵
        Drops file in Drivers directory
        
        PID:1500
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        323⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        324⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        325⤵
        
        PID:540
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        326⤵
        Checks computer location settings
        
        PID:1528
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        327⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        328⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        329⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        330⤵
        Checks computer location settings
        
        PID:1464
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        331⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        332⤵
        
        PID:844
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        333⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        334⤵
        
        PID:208
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        335⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        336⤵
        Drops file in Drivers directory
        
        PID:4516
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        337⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        338⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        339⤵
        
        PID:632
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        340⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        341⤵
        Drops file in Drivers directory
        
        PID:2012
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        342⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        343⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        344⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        345⤵
        
        PID:432
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        346⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        347⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        348⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        349⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        350⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        351⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        352⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        353⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        354⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        355⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        356⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        357⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        358⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        359⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        360⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        361⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        362⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        363⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        364⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        365⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        366⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        367⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        368⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        369⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        370⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        371⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        372⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        373⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        374⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        375⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        376⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        377⤵
        
        PID:516
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        378⤵
        
        PID:960
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        379⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        380⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        381⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        382⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        383⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        384⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        385⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        386⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        387⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        388⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        389⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        390⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        391⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        392⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        393⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        394⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        395⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        396⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        397⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        398⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        399⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        400⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\msbootlog.exe
        
        "C:\Windows\System32\msbootlog.exe"
        401⤵
        
        PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hideproc.sys

Filesize
3KB

MD5
7b2e157302bf7bd071f54f0960f2f5d8

SHA1
bf4dfc298cddeafbe58eb35ee2c0ece246b41669

SHA256
753ec69ee1a7d9f024576175c94069787024dac13825722e291da0ae4c03304b

SHA512
0f76da9793bfeb594654945c92cc0ac26b45a491dc080fd21f860dc6b1efa271eed85603cad1904e867369c17e05e84271f3a063ab0801a778f421a7e5e83bf1

Download Submit
C:\Windows\SysWOW64\msbootlog.exe

Filesize
112KB

MD5
f8c937177a66c3eec3981b93f560e90a

SHA1
fee4ceae1277c5dddeb47f1931226a60ed357294

SHA256
593321ca07f9c6121407d4227251d28691586764486667538f93249e865e150e

SHA512
0d0e37f8e00cb529a19951e1dee543eabf201212af09013d62a85bddb3c6b625f399e917d20aae97e1cc1e37ac42e299c0b284c4c62d87fe743e1f9130a48f69

Download Submit
memory/728-493-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/744-887-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/768-0-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/768-28-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1356-532-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1396-40-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1424-416-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1436-337-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1440-558-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1560-157-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1608-402-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1616-595-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1676-66-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1676-81-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1852-698-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2000-324-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2076-685-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2152-299-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2156-442-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2208-106-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2228-672-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2228-312-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2244-608-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2532-480-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2552-826-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2568-209-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2568-749-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2588-376-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-364-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2612-634-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2656-170-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2656-519-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2780-647-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2840-389-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2892-910-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3000-272-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3112-762-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3376-545-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3452-428-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3452-621-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3452-247-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3636-454-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3812-863-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3912-508-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4112-350-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4132-839-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4172-67-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4172-259-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4240-736-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4272-898-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4304-711-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4324-814-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4364-132-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4400-196-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4440-775-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4440-221-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4652-119-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4688-789-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4852-93-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4944-285-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4980-850-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5008-468-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5044-874-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5048-53-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download