gh0strat | 2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
14/06/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe
Size

792KB
MD5

83cf592adb202e7791d7316180d6e9da
SHA1

953e914c2585b6d5f680c92359c74cccf264c49e
SHA256

2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685
SHA512

6eccbf94722884900d6be51f41683009aa01dddcd738edd9354da471796965c91b0439c15241ad7e4e090d95268dec76e1fe471927a408f1ee63ff0f2261d24b
SSDEEP

12288:cThR2oreHPuKNajprUkz0+NsqJnWNaYXkHihBq8BUn4ztqI5rXhVIqn:IKmKNUHI+NsqwYYX/LLBg48I5rRVr

Score

10^/10

gh0strat xmrig miner rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/3324-0-0x0000000010000000-0x00000000100C9000-memory.dmp	family_gh0strat
behavioral2/memory/3212-7-0x0000000010000000-0x00000000100C9000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/3324-0-0x0000000010000000-0x00000000100C9000-memory.dmp	xmrig
behavioral2/memory/3212-7-0x0000000010000000-0x00000000100C9000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3404	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
3212	svchost.exe
4476	svchost.exe
4528	svchost.exe
888	svchost.exe
1308	svchost.exe
4120	svchost.exe
1896	svchost.exe
336	svchost.exe
4712	svchost.exe
3456	svchost.exe
3464	svchost.exe
2504	svchost.exe
3368	svchost.exe
4276	svchost.exe
2464	svchost.exe
4880	svchost.exe
3184	svchost.exe
1996	svchost.exe
4076	svchost.exe
2008	svchost.exe
1568	svchost.exe
5008	svchost.exe
872	svchost.exe
576	svchost.exe
1200	svchost.exe
2200	svchost.exe
2824	svchost.exe
2444	svchost.exe
240	svchost.exe
3700	svchost.exe
3712	svchost.exe
3560	svchost.exe
4740	svchost.exe
392	svchost.exe
3212	svchost.exe
3572	svchost.exe
3124	svchost.exe
4264	svchost.exe
3108	svchost.exe
1744	svchost.exe
2132	svchost.exe
3556	svchost.exe
2056	svchost.exe
3924	svchost.exe
4724	svchost.exe
3408	svchost.exe
3268	svchost.exe
1072	svchost.exe
2548	svchost.exe
3836	svchost.exe
4976	svchost.exe
3384	svchost.exe
3128	svchost.exe
1596	svchost.exe
3592	svchost.exe
4868	svchost.exe
576	svchost.exe
2840	svchost.exe
3856	svchost.exe
1200	svchost.exe
4768	svchost.exe
1640	svchost.exe
4692	svchost.exe
2968	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe
File opened for modification	C:\Windows\svchost.exe	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4832	3212	WerFault.exe	78
2284	888	WerFault.exe	85
2000	1896	WerFault.exe	90
4308	3456	WerFault.exe	95
3408	3368	WerFault.exe	100
2548	4880	WerFault.exe	105
864	4076	WerFault.exe	110
4808	5008	WerFault.exe	115
1208	1200	WerFault.exe	120
4072	2444	WerFault.exe	125
2808	3712	WerFault.exe	130
1908	392	WerFault.exe	135
236	3124	WerFault.exe	140
1056	1744	WerFault.exe	145
2800	2056	WerFault.exe	150
5100	3408	WerFault.exe	155
4544	2548	WerFault.exe	160
4548	3384	WerFault.exe	165
452	3592	WerFault.exe	170
2824	2840	WerFault.exe	175
3180	4768	WerFault.exe	180
2304	2968	WerFault.exe	185
2284	4984	WerFault.exe	190
4088	888	WerFault.exe	195
3564	3524	WerFault.exe	200
1096	1484	WerFault.exe	205
4644	4124	WerFault.exe	210
4544	4880	WerFault.exe	215
952	1408	WerFault.exe	220
860	1596	WerFault.exe	225
400	2876	WerFault.exe	230
240	1820	WerFault.exe	235
416	3180	WerFault.exe	240
3572	876	WerFault.exe	245
908	4452	WerFault.exe	250
2004	4460	WerFault.exe	255
2000	1164	WerFault.exe	260
728	2056	WerFault.exe	265
3568	3268	WerFault.exe	270
2400	5056	WerFault.exe	275
3544	2372	WerFault.exe	280
2200	2324	WerFault.exe	285
4792	1592	WerFault.exe	290
3036	4760	WerFault.exe	295
1588	5060	WerFault.exe	300
3348	3212	WerFault.exe	305
3736	3500	WerFault.exe	310
1868	2232	WerFault.exe	315
1904	3828	WerFault.exe	320
2056	4356	WerFault.exe	325
4816	792	WerFault.exe	330
5012	3832	WerFault.exe	335
3116	4936	WerFault.exe	340
3724	1876	WerFault.exe	345
4536	1188	WerFault.exe	350
4916	788	WerFault.exe	355
4248	3312	WerFault.exe	360
588	4120	WerFault.exe	365
4396	3216	WerFault.exe	370
4052	2112	WerFault.exe	375
408	4276	WerFault.exe	380
2888	3456	WerFault.exe	385
5100	2376	WerFault.exe	390
4468	2256	WerFault.exe	395

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3404	3324	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe	79
PID 3324 wrote to memory of 3404	3324	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe	79
PID 3324 wrote to memory of 3404	3324	2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe	79
PID 3212 wrote to memory of 4476	3212	svchost.exe	80
PID 3212 wrote to memory of 4476	3212	svchost.exe	80
PID 3212 wrote to memory of 4476	3212	svchost.exe	80
PID 3212 wrote to memory of 4528	3212	svchost.exe	81
PID 3212 wrote to memory of 4528	3212	svchost.exe	81
PID 3212 wrote to memory of 4528	3212	svchost.exe	81
PID 888 wrote to memory of 1308	888	svchost.exe	86
PID 888 wrote to memory of 1308	888	svchost.exe	86
PID 888 wrote to memory of 1308	888	svchost.exe	86
PID 888 wrote to memory of 4120	888	svchost.exe	87
PID 888 wrote to memory of 4120	888	svchost.exe	87
PID 888 wrote to memory of 4120	888	svchost.exe	87
PID 1896 wrote to memory of 336	1896	svchost.exe	91
PID 1896 wrote to memory of 336	1896	svchost.exe	91
PID 1896 wrote to memory of 336	1896	svchost.exe	91
PID 1896 wrote to memory of 4712	1896	svchost.exe	92
PID 1896 wrote to memory of 4712	1896	svchost.exe	92
PID 1896 wrote to memory of 4712	1896	svchost.exe	92
PID 3456 wrote to memory of 3464	3456	svchost.exe	96
PID 3456 wrote to memory of 3464	3456	svchost.exe	96
PID 3456 wrote to memory of 3464	3456	svchost.exe	96
PID 3456 wrote to memory of 2504	3456	svchost.exe	97
PID 3456 wrote to memory of 2504	3456	svchost.exe	97
PID 3456 wrote to memory of 2504	3456	svchost.exe	97
PID 3368 wrote to memory of 4276	3368	svchost.exe	101
PID 3368 wrote to memory of 4276	3368	svchost.exe	101
PID 3368 wrote to memory of 4276	3368	svchost.exe	101
PID 3368 wrote to memory of 2464	3368	svchost.exe	102
PID 3368 wrote to memory of 2464	3368	svchost.exe	102
PID 3368 wrote to memory of 2464	3368	svchost.exe	102
PID 4880 wrote to memory of 3184	4880	svchost.exe	106
PID 4880 wrote to memory of 3184	4880	svchost.exe	106
PID 4880 wrote to memory of 3184	4880	svchost.exe	106
PID 4880 wrote to memory of 1996	4880	svchost.exe	107
PID 4880 wrote to memory of 1996	4880	svchost.exe	107
PID 4880 wrote to memory of 1996	4880	svchost.exe	107
PID 4076 wrote to memory of 2008	4076	svchost.exe	111
PID 4076 wrote to memory of 2008	4076	svchost.exe	111
PID 4076 wrote to memory of 2008	4076	svchost.exe	111
PID 4076 wrote to memory of 1568	4076	svchost.exe	112
PID 4076 wrote to memory of 1568	4076	svchost.exe	112
PID 4076 wrote to memory of 1568	4076	svchost.exe	112
PID 5008 wrote to memory of 872	5008	svchost.exe	116
PID 5008 wrote to memory of 872	5008	svchost.exe	116
PID 5008 wrote to memory of 872	5008	svchost.exe	116
PID 5008 wrote to memory of 576	5008	svchost.exe	117
PID 5008 wrote to memory of 576	5008	svchost.exe	117
PID 5008 wrote to memory of 576	5008	svchost.exe	117
PID 1200 wrote to memory of 2200	1200	svchost.exe	121
PID 1200 wrote to memory of 2200	1200	svchost.exe	121
PID 1200 wrote to memory of 2200	1200	svchost.exe	121
PID 1200 wrote to memory of 2824	1200	svchost.exe	122
PID 1200 wrote to memory of 2824	1200	svchost.exe	122
PID 1200 wrote to memory of 2824	1200	svchost.exe	122
PID 2444 wrote to memory of 240	2444	svchost.exe	126
PID 2444 wrote to memory of 240	2444	svchost.exe	126
PID 2444 wrote to memory of 240	2444	svchost.exe	126
PID 2444 wrote to memory of 3700	2444	svchost.exe	127
PID 2444 wrote to memory of 3700	2444	svchost.exe	127
PID 2444 wrote to memory of 3700	2444	svchost.exe	127
PID 3712 wrote to memory of 3560	3712	svchost.exe	131

C:\Users\Admin\AppData\Local\Temp\2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe
"C:\Users\Admin\AppData\Local\Temp\2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685.exe"
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\9932.vbs"
  2⤵
  - Deletes itself
  PID:3404

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 684
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3212 -ip 3212
1⤵
PID:4928

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:888
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 600
  2⤵
  - Program crash
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 888 -ip 888
1⤵
PID:4268

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 632
  2⤵
  - Program crash
  PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1896 -ip 1896
1⤵
PID:2828

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 600
  2⤵
  - Program crash
  PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3456 -ip 3456
1⤵
PID:2500

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 660
  2⤵
  - Program crash
  PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3368 -ip 3368
1⤵
PID:3960

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 600
  2⤵
  - Program crash
  PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4880 -ip 4880
1⤵
PID:3732

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 604
  2⤵
  - Program crash
  PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4076 -ip 4076
1⤵
PID:5056

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 600
  2⤵
  - Program crash
  PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5008 -ip 5008
1⤵
PID:2068

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 600
  2⤵
  - Program crash
  PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1200 -ip 1200
1⤵
PID:244

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 632
  2⤵
  - Program crash
  PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 2444 -ip 2444
1⤵
PID:788

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 600
  2⤵
  - Program crash
  PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3712 -ip 3712
1⤵
PID:3864

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:392
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 660
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 392 -ip 392
1⤵
PID:2216

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:3124
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 600
  2⤵
  - Program crash
  PID:236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3124 -ip 3124
1⤵
PID:992

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:1744
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 600
  2⤵
  - Program crash
  PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1744 -ip 1744
1⤵
PID:3872

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2056
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 600
  2⤵
  - Program crash
  PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2056 -ip 2056
1⤵
PID:3372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:3408
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 600
  2⤵
  - Program crash
  PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3408 -ip 3408
1⤵
PID:3620

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2548
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 600
  2⤵
  - Program crash
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2548 -ip 2548
1⤵
PID:2916

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:3384
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 600
  2⤵
  - Program crash
  PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3384 -ip 3384
1⤵
PID:3528

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:3592
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 600
  2⤵
  - Program crash
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3592 -ip 3592
1⤵
PID:4636

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2840
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 660
  2⤵
  - Program crash
  PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2840 -ip 2840
1⤵
PID:1100

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:4768
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 592
  2⤵
  - Program crash
  PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4768 -ip 4768
1⤵
PID:4752

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:2968
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1376
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 600
  2⤵
  - Program crash
  PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2968 -ip 2968
1⤵
PID:3712

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4984
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4452
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 600
  2⤵
  - Program crash
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4984 -ip 4984
1⤵
PID:4248

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:888
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4048
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 660
  2⤵
  - Program crash
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 888 -ip 888
1⤵
PID:4924

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3524
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3828
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 660
  2⤵
  - Program crash
  PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3524 -ip 3524
1⤵
PID:336

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1484
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4044
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 600
  2⤵
  - Program crash
  PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1484 -ip 1484
1⤵
PID:2056

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4124
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3732
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 660
  2⤵
  - Program crash
  PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4124 -ip 4124
1⤵
PID:3472

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4880
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1652
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 660
  2⤵
  - Program crash
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4880 -ip 4880
1⤵
PID:4888

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1408
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2296
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 632
  2⤵
  - Program crash
  PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1408 -ip 1408
1⤵
PID:3380

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1596
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2144
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 600
  2⤵
  - Program crash
  PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1596 -ip 1596
1⤵
PID:2020

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2876
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:232
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 600
  2⤵
  - Program crash
  PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2876 -ip 2876
1⤵
PID:1216

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1820
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5044
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 600
  2⤵
  - Program crash
  PID:240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1820 -ip 1820
1⤵
PID:1212

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3180
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4768
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 600
  2⤵
  - Program crash
  PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3180 -ip 3180
1⤵
PID:2784

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:876
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:588
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 600
  2⤵
  - Program crash
  PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 876 -ip 876
1⤵
PID:2016

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4452
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4528
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 600
  2⤵
  - Program crash
  PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4452 -ip 4452
1⤵
PID:472

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4460
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5028
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 600
  2⤵
  - Program crash
  PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4460 -ip 4460
1⤵
PID:4264

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1164
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3872
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 600
  2⤵
  - Program crash
  PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1164 -ip 1164
1⤵
PID:4640

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2056
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3960
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 632
  2⤵
  - Program crash
  PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2056 -ip 2056
1⤵
PID:3924

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3268
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3596
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 600
  2⤵
  - Program crash
  PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3268 -ip 3268
1⤵
PID:5036

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5056
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1940
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 660
  2⤵
  - Program crash
  PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5056 -ip 5056
1⤵
PID:2904

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2372
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:952
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 660
  2⤵
  - Program crash
  PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2372 -ip 2372
1⤵
PID:4936

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2324
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2060
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 600
  2⤵
  - Program crash
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2324 -ip 2324
1⤵
PID:1596

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1592
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:232
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 600
  2⤵
  - Program crash
  PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 1592 -ip 1592
1⤵
PID:2676

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4760
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3340
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 660
  2⤵
  - Program crash
  PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4760 -ip 4760
1⤵
PID:1820

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5060
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4908
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 600
  2⤵
  - Program crash
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5060 -ip 5060
1⤵
PID:2808

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3212
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3280
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 660
  2⤵
  - Program crash
  PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3212 -ip 3212
1⤵
PID:3560

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3500
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4728
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 660
  2⤵
  - Program crash
  PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3500 -ip 3500
1⤵
PID:4452

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2232
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2500
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 660
  2⤵
  - Program crash
  PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2232 -ip 2232
1⤵
PID:3108

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3828
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2268
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 660
  2⤵
  - Program crash
  PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3828 -ip 3828
1⤵
PID:1248

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4356
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3464
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 660
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:3456

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:792
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3356
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 604
  2⤵
  - Program crash
  PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 792 -ip 792
1⤵
PID:4304

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3832
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4888
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 600
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3832 -ip 3832
1⤵
PID:3128

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4936
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3380
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 660
  2⤵
  - Program crash
  PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4936 -ip 4936
1⤵
PID:1408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1876
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2608
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 660
  2⤵
  - Program crash
  PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1876 -ip 1876
1⤵
PID:1716

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1188
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2628
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 660
  2⤵
  - Program crash
  PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1188 -ip 1188
1⤵
PID:1100

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:788
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1224
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 632
  2⤵
  - Program crash
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 788 -ip 788
1⤵
PID:5076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3312
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4928
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 600
  2⤵
  - Program crash
  PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3312 -ip 3312
1⤵
PID:2408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4120
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3428
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 660
  2⤵
  - Program crash
  PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4120 -ip 4120
1⤵
PID:1076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3216
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1704
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 660
  2⤵
  - Program crash
  PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 3216 -ip 3216
1⤵
PID:4088

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2112
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1056
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 600
  2⤵
  - Program crash
  PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2112 -ip 2112
1⤵
PID:440

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4276
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3556
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 660
  2⤵
  - Program crash
  PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4276 -ip 4276
1⤵
PID:3004

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3456
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3464
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 600
  2⤵
  - Program crash
  PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3456 -ip 3456
1⤵
PID:2300

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2376
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1396
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 660
  2⤵
  - Program crash
  PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2376 -ip 2376
1⤵
PID:2904

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2256
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2972
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 632
  2⤵
  - Program crash
  PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2256 -ip 2256
1⤵
PID:3332

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5096
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3116
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 632
  2⤵
  PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5096 -ip 5096
1⤵
PID:2908

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3188
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3724
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4756
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 600
  2⤵
  PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3188 -ip 3188
1⤵
PID:3852

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1216
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4536
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1640
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 600
  2⤵
  PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1216 -ip 1216
1⤵
PID:2292

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1872
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1344
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 660
  2⤵
  PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1872 -ip 1872
1⤵
PID:780

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2388
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1832
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 660
  2⤵
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2388 -ip 2388
1⤵
PID:1260

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4928
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3956
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 660
  2⤵
  PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4928 -ip 4928
1⤵
PID:2016

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:876
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4048
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 600
  2⤵
  PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 876 -ip 876
1⤵
PID:336

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2252
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1520
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 600
  2⤵
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2252 -ip 2252
1⤵
PID:1584

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4052
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2120
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 600
  2⤵
  PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4052 -ip 4052
1⤵
PID:1096

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3004
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1532
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 660
  2⤵
  PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3004 -ip 3004
1⤵
PID:3372

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3568
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4644
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 600
  2⤵
  PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3568 -ip 3568
1⤵
PID:3148

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2068
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1016
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 600
  2⤵
  PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2068 -ip 2068
1⤵
PID:4548

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3384
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4020
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 600
  2⤵
  PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3384 -ip 3384
1⤵
PID:4808

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2908
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2360
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 632
  2⤵
  PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2908 -ip 2908
1⤵
PID:244

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1472
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:576
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 660
  2⤵
  PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1472 -ip 1472
1⤵
PID:1200

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5044
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1340
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 660
  2⤵
  PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5044 -ip 5044
1⤵
PID:412

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3324
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1872
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 600
  2⤵
  PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3324 -ip 3324
1⤵
PID:2216

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4740
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4236
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 604
  2⤵
  PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4740 -ip 4740
1⤵
PID:3144

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2244
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4832
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2532
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 660
  2⤵
  PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2244 -ip 2244
1⤵
PID:3052

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4596
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3260
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 660
  2⤵
  PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4596 -ip 4596
1⤵
PID:4396

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:888
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3692
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 660
  2⤵
  PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 888 -ip 888
1⤵
PID:2800

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2252
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3524
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 632
  2⤵
  PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2252 -ip 2252
1⤵
PID:4272

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:248
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2156
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 248 -s 600
  2⤵
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 248 -ip 248
1⤵
PID:3620

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2300
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3596
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 600
  2⤵
  PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2300 -ip 2300
1⤵
PID:4976

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:932
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4880
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 600
  2⤵
  PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 932 -ip 932
1⤵
PID:4284

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2880
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4384
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 632
  2⤵
  PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2880 -ip 2880
1⤵
PID:5008

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2180
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3388
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 660
  2⤵
  PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 2180 -ip 2180
1⤵
PID:424

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2360
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1352
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 600
  2⤵
  PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2360 -ip 2360
1⤵
PID:232

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1932
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4716
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 632
  2⤵
  PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1932 -ip 1932
1⤵
PID:1768

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1640
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3992
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 660
  2⤵
  PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1640 -ip 1640
1⤵
PID:2408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4116
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1792
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 600
  2⤵
  PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4116 -ip 4116
1⤵
PID:2556

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1144
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2016
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 604
  2⤵
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1144 -ip 1144
1⤵
PID:3312

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4672
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4760
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 660
  2⤵
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4672 -ip 4672
1⤵
PID:3920

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4452
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1112
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 600
  2⤵
  PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4452 -ip 4452
1⤵
PID:3548

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3044
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3828
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 644
  2⤵
  PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3044 -ip 3044
1⤵
PID:4044

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4960
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1008
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 632
  2⤵
  PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4960 -ip 4960
1⤵
PID:3368

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4852
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3464
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 660
  2⤵
  PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4852 -ip 4852
1⤵
PID:1676

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4324
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2548
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 632
  2⤵
  PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4324 -ip 4324
1⤵
PID:5100

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3208
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:3384
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 632
  2⤵
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3208 -ip 3208
1⤵
PID:2876

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2972
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:2820
- C:\Windows\svchost.exe
  C:\Windows\svchost.exe Win7
  2⤵
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 600
  2⤵
  PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2972 -ip 2972
1⤵
PID:232

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9932.vbs

Filesize
500B

MD5
698c72dac255eefa3e296241b836f710

SHA1
ff3166a7e73166e4deda97562aaf10eec1f14bf1

SHA256
b53d9fc57361f2161c78bac467fff508c23565bdce6d1f11a827f84279184f17

SHA512
8d70708dea35b52a469fdf3ffb31c0cac4ef7bed3e1eda16b0c95548888a146f69bcb3c042e2789962999edf3a1bb8207f9b51081a72e18ce29a3be602db0109

Download Submit
C:\Windows\svchost.exe

Filesize
792KB

MD5
83cf592adb202e7791d7316180d6e9da

SHA1
953e914c2585b6d5f680c92359c74cccf264c49e

SHA256
2672c1254165007fd8af38b9b123cf90919ca4c4f877d89448b29937a185b685

SHA512
6eccbf94722884900d6be51f41683009aa01dddcd738edd9354da471796965c91b0439c15241ad7e4e090d95268dec76e1fe471927a408f1ee63ff0f2261d24b

Download Submit
memory/3212-7-0x0000000010000000-0x00000000100C9000-memory.dmp

Filesize
804KB

Download
memory/3324-0-0x0000000010000000-0x00000000100C9000-memory.dmp

Filesize
804KB

Download