gh0strat | 2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe
Size

792KB
MD5

83cf592adb202e7791d7316180d6e9da
SHA1

953e914c2585b6d5f680c92359c74cccf264c49e
SHA256

2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685
SHA512

6eccbf94722884900d6be51f41683009aa01dddcd738edd9354da471796965c91b0439c15241ad7e4e090d95268dec76e1fe471927a408f1ee63ff0f2261d24b
SSDEEP

12288:cThR2oreHPuKNajprUkz0+NsqJnWNaYXkHihBq8BUn4ztqI5rXhVIqn:IKmKNUHI+NsqwYYX/LLBg48I5rRVr

Score

10^/10

gh0strat xmrig miner rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2876-0-0x0000000010000000-0x00000000100C9000-memory.dmp	family_gh0strat
behavioral1/memory/516-7-0x0000000010000000-0x00000000100C9000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2876-0-0x0000000010000000-0x00000000100C9000-memory.dmp	xmrig
behavioral1/memory/516-7-0x0000000010000000-0x00000000100C9000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe

Deletes itself 1 IoCs

pid	Process
2644	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
516	svchost.exe
2444	svchost.exe
3972	svchost.exe
4260	svchost.exe
4840	svchost.exe
1436	svchost.exe
4956	svchost.exe
2452	svchost.exe
4852	svchost.exe
4908	svchost.exe
2980	svchost.exe
4760	svchost.exe
2704	svchost.exe
844	svchost.exe
4552	svchost.exe
928	svchost.exe
3084	svchost.exe
1452	svchost.exe
2384	svchost.exe
1980	svchost.exe
8	svchost.exe
1700	svchost.exe
4744	svchost.exe
1044	svchost.exe
1976	svchost.exe
4436	svchost.exe
1428	svchost.exe
896	svchost.exe
1388	svchost.exe
4764	svchost.exe
4484	svchost.exe
1176	svchost.exe
2500	svchost.exe
1992	svchost.exe
1360	svchost.exe
2360	svchost.exe
3524	svchost.exe
2180	svchost.exe
3884	svchost.exe
2796	svchost.exe
1124	svchost.exe
1724	svchost.exe
752	svchost.exe
2176	svchost.exe
840	svchost.exe
556	svchost.exe
388	svchost.exe
4520	svchost.exe
3964	svchost.exe
4380	svchost.exe
1044	svchost.exe
2480	svchost.exe
3780	svchost.exe
2916	svchost.exe
4528	svchost.exe
4780	svchost.exe
1268	svchost.exe
2232	svchost.exe
1176	svchost.exe
3920	svchost.exe
4572	svchost.exe
2360	svchost.exe
3108	svchost.exe
4184	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe
File opened for modification	C:\Windows\svchost.exe	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4400	516	WerFault.exe	84
1992	4260	WerFault.exe	93
2064	4956	WerFault.exe	98
4228	4908	WerFault.exe	103
2040	2704	WerFault.exe	108
4708	928	WerFault.exe	113
4540	2384	WerFault.exe	118
2052	1700	WerFault.exe	123
4212	1976	WerFault.exe	128
5068	896	WerFault.exe	133
548	4484	WerFault.exe	138
4860	1992	WerFault.exe	143
2008	3524	WerFault.exe	148
4024	2796	WerFault.exe	153
4440	752	WerFault.exe	158
380	556	WerFault.exe	163
2460	3964	WerFault.exe	170
4876	2480	WerFault.exe	175
4756	4528	WerFault.exe	181
3044	2232	WerFault.exe	186
1080	4572	WerFault.exe	191
3112	4184	WerFault.exe	196
3356	1696	WerFault.exe	201
1276	2372	WerFault.exe	206
2668	1456	WerFault.exe	211
4420	1200	WerFault.exe	216
3540	1700	WerFault.exe	221
4592	1368	WerFault.exe	226
3572	516	WerFault.exe	231
4288	4364	WerFault.exe	236
1204	1720	WerFault.exe	241
4760	1784	WerFault.exe	246
2796	448	WerFault.exe	251
752	4396	WerFault.exe	256
1116	848	WerFault.exe	261
8	4580	WerFault.exe	266
2720	432	WerFault.exe	271
3952	4264	WerFault.exe	276
4028	4268	WerFault.exe	281
4780	868	WerFault.exe	286
3536	1436	WerFault.exe	291
2024	1360	WerFault.exe	296
3836	2008	WerFault.exe	301
5016	2712	WerFault.exe	306
812	2728	WerFault.exe	311
5020	4112	WerFault.exe	316
1464	924	WerFault.exe	321
536	4300	WerFault.exe	326
4312	1044	WerFault.exe	331
452	3404	WerFault.exe	336
4528	4268	WerFault.exe	341
1320	4780	WerFault.exe	346
2912	3332	WerFault.exe	351
3304	2700	WerFault.exe	356
1124	3836	WerFault.exe	361
4620	2704	WerFault.exe	366
3020	1228	WerFault.exe	371
3028	976	WerFault.exe	376
3904	3636	WerFault.exe	381
3952	4744	WerFault.exe	386
3552	1364	WerFault.exe	391
816	1196	WerFault.exe	396
3912	4252	WerFault.exe	401
2456	4364	WerFault.exe	406

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2644	2876	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe	87
PID 2876 wrote to memory of 2644	2876	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe	87
PID 2876 wrote to memory of 2644	2876	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe	87
PID 516 wrote to memory of 2444	516	svchost.exe	88
PID 516 wrote to memory of 2444	516	svchost.exe	88
PID 516 wrote to memory of 2444	516	svchost.exe	88
PID 516 wrote to memory of 3972	516	svchost.exe	89
PID 516 wrote to memory of 3972	516	svchost.exe	89
PID 516 wrote to memory of 3972	516	svchost.exe	89
PID 4260 wrote to memory of 4840	4260	svchost.exe	94
PID 4260 wrote to memory of 4840	4260	svchost.exe	94
PID 4260 wrote to memory of 4840	4260	svchost.exe	94
PID 4260 wrote to memory of 1436	4260	svchost.exe	95
PID 4260 wrote to memory of 1436	4260	svchost.exe	95
PID 4260 wrote to memory of 1436	4260	svchost.exe	95
PID 4956 wrote to memory of 2452	4956	svchost.exe	99
PID 4956 wrote to memory of 2452	4956	svchost.exe	99
PID 4956 wrote to memory of 2452	4956	svchost.exe	99
PID 4956 wrote to memory of 4852	4956	svchost.exe	100
PID 4956 wrote to memory of 4852	4956	svchost.exe	100
PID 4956 wrote to memory of 4852	4956	svchost.exe	100
PID 4908 wrote to memory of 2980	4908	svchost.exe	104
PID 4908 wrote to memory of 2980	4908	svchost.exe	104
PID 4908 wrote to memory of 2980	4908	svchost.exe	104
PID 4908 wrote to memory of 4760	4908	svchost.exe	105
PID 4908 wrote to memory of 4760	4908	svchost.exe	105
PID 4908 wrote to memory of 4760	4908	svchost.exe	105
PID 2704 wrote to memory of 844	2704	svchost.exe	109
PID 2704 wrote to memory of 844	2704	svchost.exe	109
PID 2704 wrote to memory of 844	2704	svchost.exe	109
PID 2704 wrote to memory of 4552	2704	svchost.exe	110
PID 2704 wrote to memory of 4552	2704	svchost.exe	110
PID 2704 wrote to memory of 4552	2704	svchost.exe	110
PID 928 wrote to memory of 3084	928	svchost.exe	114
PID 928 wrote to memory of 3084	928	svchost.exe	114
PID 928 wrote to memory of 3084	928	svchost.exe	114
PID 928 wrote to memory of 1452	928	svchost.exe	115
PID 928 wrote to memory of 1452	928	svchost.exe	115
PID 928 wrote to memory of 1452	928	svchost.exe	115
PID 2384 wrote to memory of 1980	2384	svchost.exe	119
PID 2384 wrote to memory of 1980	2384	svchost.exe	119
PID 2384 wrote to memory of 1980	2384	svchost.exe	119
PID 2384 wrote to memory of 8	2384	svchost.exe	120
PID 2384 wrote to memory of 8	2384	svchost.exe	120
PID 2384 wrote to memory of 8	2384	svchost.exe	120
PID 1700 wrote to memory of 4744	1700	svchost.exe	124
PID 1700 wrote to memory of 4744	1700	svchost.exe	124
PID 1700 wrote to memory of 4744	1700	svchost.exe	124
PID 1700 wrote to memory of 1044	1700	svchost.exe	125
PID 1700 wrote to memory of 1044	1700	svchost.exe	125
PID 1700 wrote to memory of 1044	1700	svchost.exe	125
PID 1976 wrote to memory of 4436	1976	svchost.exe	129
PID 1976 wrote to memory of 4436	1976	svchost.exe	129
PID 1976 wrote to memory of 4436	1976	svchost.exe	129
PID 1976 wrote to memory of 1428	1976	svchost.exe	130
PID 1976 wrote to memory of 1428	1976	svchost.exe	130
PID 1976 wrote to memory of 1428	1976	svchost.exe	130
PID 896 wrote to memory of 1388	896	svchost.exe	134
PID 896 wrote to memory of 1388	896	svchost.exe	134
PID 896 wrote to memory of 1388	896	svchost.exe	134
PID 896 wrote to memory of 4764	896	svchost.exe	135
PID 896 wrote to memory of 4764	896	svchost.exe	135
PID 896 wrote to memory of 4764	896	svchost.exe	135
PID 4484 wrote to memory of 1176	4484	svchost.exe	139

C:\Users\Admin\AppData\Local\Temp\2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe
"C:\Users\Admin\AppData\Local\Temp\2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\2908.vbs"
  2⤵
  - Deletes itself
  PID:2644

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 676
  2⤵
  - Program crash
  PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 516 -ip 516
1⤵
PID:3140

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 576
  2⤵
  - Program crash
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4260 -ip 4260
1⤵
PID:4756

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 576
  2⤵
  - Program crash
  PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4956 -ip 4956
1⤵
PID:3044

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 580
  2⤵
  - Program crash
  PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4908 -ip 4908
1⤵
PID:2896

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 576
  2⤵
  - Program crash
  PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2704 -ip 2704
1⤵
PID:3960

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 576
  2⤵
  - Program crash
  PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 928 -ip 928
1⤵
PID:4432

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 612
  2⤵
  - Program crash
  PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2384 -ip 2384
1⤵
PID:1656

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 576
  2⤵
  - Program crash
  PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1700 -ip 1700
1⤵
PID:3540

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 576
  2⤵
  - Program crash
  PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1976 -ip 1976
1⤵
PID:1660

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 612
  2⤵
  - Program crash
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 896 -ip 896
1⤵
PID:5100

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 624
  2⤵
  - Program crash
  PID:548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4484 -ip 4484
1⤵
PID:4736

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1992
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 576
  2⤵
  - Program crash
  PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1992 -ip 1992
1⤵
PID:4460

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:3524
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 612
  2⤵
  - Program crash
  PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3524 -ip 3524
1⤵
PID:2524

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2796
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 640
  2⤵
  - Program crash
  PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2796 -ip 2796
1⤵
PID:4532

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:752
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 640
  2⤵
  - Program crash
  PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 752 -ip 752
1⤵
PID:1328

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:556
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 576
  2⤵
  - Program crash
  PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 556 -ip 556
1⤵
PID:1512

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:3964
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 576
  2⤵
  - Program crash
  PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3964 -ip 3964
1⤵
PID:3004

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2480
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 576
  2⤵
  - Program crash
  PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2480 -ip 2480
1⤵
PID:4436

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:4528
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 640
  2⤵
  - Program crash
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4528 -ip 4528
1⤵
PID:372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2232
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 576
  2⤵
  - Program crash
  PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2232 -ip 2232
1⤵
PID:3160

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:4572
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 612
  2⤵
  - Program crash
  PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4572 -ip 4572
1⤵
PID:2700

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:4184
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3884
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 612
  2⤵
  - Program crash
  PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4184 -ip 4184
1⤵
PID:1640

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1696
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4788
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 576
  2⤵
  - Program crash
  PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1696 -ip 1696
1⤵
PID:2704

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2372
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:844
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 612
  2⤵
  - Program crash
  PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2372 -ip 2372
1⤵
PID:928

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1456
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3928
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 640
  2⤵
  - Program crash
  PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1456 -ip 1456
1⤵
PID:4792

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1200
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3904
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 576
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1200 -ip 1200
1⤵
PID:220

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1700
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3808
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 576
  2⤵
  - Program crash
  PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1700 -ip 1700
1⤵
PID:4628

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1368
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4692
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 576
  2⤵
  - Program crash
  PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1368 -ip 1368
1⤵
PID:1196

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:516
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2764
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 612
  2⤵
  - Program crash
  PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 516 -ip 516
1⤵
PID:4524

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4364
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2184
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 576
  2⤵
  - Program crash
  PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4364 -ip 4364
1⤵
PID:1436

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1720
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4608
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 612
  2⤵
  - Program crash
  PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1720 -ip 1720
1⤵
PID:1360

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1784
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1080
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 576
  2⤵
  - Program crash
  PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1784 -ip 1784
1⤵
PID:2008

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:448
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1968
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 576
  2⤵
  - Program crash
  PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 448 -ip 448
1⤵
PID:2712

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4396
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1912
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 580
  2⤵
  - Program crash
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4396 -ip 4396
1⤵
PID:3704

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:848
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1276
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 576
  2⤵
  - Program crash
  PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 848 -ip 848
1⤵
PID:3628

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4580
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4540
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 576
  2⤵
  - Program crash
  PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4580 -ip 4580
1⤵
PID:4696

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:432
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4744
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 612
  2⤵
  - Program crash
  PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 432 -ip 432
1⤵
PID:3288

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4264
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2644
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3140
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 612
  2⤵
  - Program crash
  PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4264 -ip 4264
1⤵
PID:3540

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4268
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5000
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 640
  2⤵
  - Program crash
  PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4268 -ip 4268
1⤵
PID:3400

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:868
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:712
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 612
  2⤵
  - Program crash
  PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 868 -ip 868
1⤵
PID:2764

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1436
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1676
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 612
  2⤵
  - Program crash
  PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1436 -ip 1436
1⤵
PID:4840

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1360
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4644
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 576
  2⤵
  - Program crash
  PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1360 -ip 1360
1⤵
PID:2500

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2008
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2452
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 612
  2⤵
  - Program crash
  PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2008 -ip 2008
1⤵
PID:4368

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2712
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4868
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 576
  2⤵
  - Program crash
  PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2712 -ip 2712
1⤵
PID:4184

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2728
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4080
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 576
  2⤵
  - Program crash
  PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2728 -ip 2728
1⤵
PID:1696

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4112
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1512
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 576
  2⤵
  - Program crash
  PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4112 -ip 4112
1⤵
PID:2372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:924
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1456
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:60
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 612
  2⤵
  - Program crash
  PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 924 -ip 924
1⤵
PID:2052

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4300
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4996
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 612
  2⤵
  - Program crash
  PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4300 -ip 4300
1⤵
PID:2816

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1044
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2576
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 612
  2⤵
  - Program crash
  PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1044 -ip 1044
1⤵
PID:4976

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3404
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3780
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 612
  2⤵
  - Program crash
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3404 -ip 3404
1⤵
PID:4220

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4268
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1972
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 640
  2⤵
  - Program crash
  PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4268 -ip 4268
1⤵
PID:1388

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4780
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2844
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 640
  2⤵
  - Program crash
  PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4780 -ip 4780
1⤵
PID:3076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3332
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:984
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 612
  2⤵
  - Program crash
  PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3332 -ip 3332
1⤵
PID:3380

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2700
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3032
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 612
  2⤵
  - Program crash
  PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2700 -ip 2700
1⤵
PID:1652

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3836
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2008
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 612
  2⤵
  - Program crash
  PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3836 -ip 3836
1⤵
PID:1328

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2704
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1808
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 612
  2⤵
  - Program crash
  PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2704 -ip 2704
1⤵
PID:5096

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1228
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4936
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 612
  2⤵
  - Program crash
  PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1228 -ip 1228
1⤵
PID:388

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:976
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4112
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 612
  2⤵
  - Program crash
  PID:3028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 976 -ip 976
1⤵
PID:1756

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3636
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4836
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 612
  2⤵
  - Program crash
  PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3636 -ip 3636
1⤵
PID:8

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4744
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2296
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 612
  2⤵
  - Program crash
  PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4744 -ip 4744
1⤵
PID:952

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1364
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4380
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 612
  2⤵
  - Program crash
  PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1364 -ip 1364
1⤵
PID:1976

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1196
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5064
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 580
  2⤵
  - Program crash
  PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1196 -ip 1196
1⤵
PID:2880

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4252
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4584
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 612
  2⤵
  - Program crash
  PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4252 -ip 4252
1⤵
PID:372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4364
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2304
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 624
  2⤵
  - Program crash
  PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4364 -ip 4364
1⤵
PID:4784

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4228
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2076
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 640
  2⤵
  PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4228 -ip 4228
1⤵
PID:3992

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2148
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1360
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 612
  2⤵
  PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2148 -ip 2148
1⤵
PID:2452

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3408
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1124
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 576
  2⤵
  PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3408 -ip 3408
1⤵
PID:4328

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3256
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1616
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 624
  2⤵
  PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3256 -ip 3256
1⤵
PID:1696

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4708
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2540
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4864
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 612
  2⤵
  PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4708 -ip 4708
1⤵
PID:380

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1228
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:848
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 616
  2⤵
  PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1228 -ip 1228
1⤵
PID:4896

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5020
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3660
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 576
  2⤵
  PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5020 -ip 5020
1⤵
PID:1456

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3824
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2720
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 576
  2⤵
  PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3824 -ip 3824
1⤵
PID:2832

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4964
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:220
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 580
  2⤵
  PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4964 -ip 4964
1⤵
PID:2736

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3756
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4380
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 612
  2⤵
  PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3756 -ip 3756
1⤵
PID:2256

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1712
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2600
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 612
  2⤵
  PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1712 -ip 1712
1⤵
PID:2280

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3920
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4584
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 640
  2⤵
  PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3920 -ip 3920
1⤵
PID:1060

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3536
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3768
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 612
  2⤵
  PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3536 -ip 3536
1⤵
PID:3884

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4260
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3032
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 576
  2⤵
  PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4260 -ip 4260
1⤵
PID:4956

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2180
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4788
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 612
  2⤵
  PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2180 -ip 2180
1⤵
PID:4428

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3112
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1448
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 576
  2⤵
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3112 -ip 3112
1⤵
PID:1696

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3944
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1116
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 576
  2⤵
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3944 -ip 3944
1⤵
PID:1656

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3056
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2820
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 576
  2⤵
  PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3056 -ip 3056
1⤵
PID:64

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4676
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1964
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 576
  2⤵
  PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4676 -ip 4676
1⤵
PID:1256

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:468
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3548
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 468 -s 612
  2⤵
  PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 468 -ip 468
1⤵
PID:2116

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4580
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:892
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 612
  2⤵
  PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4580 -ip 4580
1⤵
PID:4400

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2296
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3964
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 580
  2⤵
  PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2296 -ip 2296
1⤵
PID:3780

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4592
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:456
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 612
  2⤵
  PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4592 -ip 4592
1⤵
PID:1624

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3040
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3760
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 576
  2⤵
  PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3040 -ip 3040
1⤵
PID:4780

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3912
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1268
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 612
  2⤵
  PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 3912 -ip 3912
1⤵
PID:1784

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4216
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3784
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 616
  2⤵
  PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4216 -ip 4216
1⤵
PID:3728

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4228
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3200
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 576
  2⤵
  PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4228 -ip 4228
1⤵
PID:920

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:784
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3408
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 576
  2⤵
  PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 784 -ip 784
1⤵
PID:1452

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2704
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3352
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 576
  2⤵
  PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2704 -ip 2704
1⤵
PID:1548

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4500
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3628
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 576
  2⤵
  PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4500 -ip 4500
1⤵
PID:4708

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4112
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1188
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 576
  2⤵
  PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4112 -ip 4112
1⤵
PID:1228

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3372
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1008
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 612
  2⤵
  PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3372 -ip 3372
1⤵
PID:976

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4272
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1476
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 612
  2⤵
  PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4272 -ip 4272
1⤵
PID:1252

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2688
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4376
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 576
  2⤵
  PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2688 -ip 2688
1⤵
PID:4084

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4060
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1368
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 640
  2⤵
  PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4060 -ip 4060
1⤵
PID:3964

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1624
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:816
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 612
  2⤵
  PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1624 -ip 1624
1⤵
PID:4700

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4568
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3420
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 612
  2⤵
  PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4568 -ip 4568
1⤵
PID:4760

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2908.vbs

Filesize
500B

MD5
698c72dac255eefa3e296241b836f710

SHA1
ff3166a7e73166e4deda97562aaf10eec1f14bf1

SHA256
b53d9fc57361f2161c78bac467fff508c23565bdce6d1f11a827f84279184f17

SHA512
8d70708dea35b52a469fdf3ffb31c0cac4ef7bed3e1eda16b0c95548888a146f69bcb3c042e2789962999edf3a1bb8207f9b51081a72e18ce29a3be602db0109

Download Submit
C:\Windows\svchost.exe

Filesize
792KB

MD5
83cf592adb202e7791d7316180d6e9da

SHA1
953e914c2585b6d5f680c92359c74cccf264c49e

SHA256
2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685

SHA512
6eccbf94722884900d6be51f41683009aa01dddcd738edd9354da471796965c91b0439c15241ad7e4e090d95268dec76e1fe471927a408f1ee63ff0f2261d24b

Download Submit
memory/516-7-0x0000000010000000-0x00000000100C9000-memory.dmp

Filesize
804KB

Download
memory/2876-0-0x0000000010000000-0x00000000100C9000-memory.dmp

Filesize
804KB

Download