gh0strat | cd8e7f1fadc3a8b755e0cc85b27ce5c0a06b255d32f168dd1e13e40eced9efab

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2025, 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
Size

2.5MB
MD5

5f6aedfcf522c8ec265fa9a0055c8d44
SHA1

d32cfb28902d247a233ed670119806458ba0327d
SHA256

cd8e7f1fadc3a8b755e0cc85b27ce5c0a06b255d32f168dd1e13e40eced9efab
SHA512

3ab52464c010228d55d531584c11c81fff90a77dcef9fd8206efddb68e795751788d154e76110394953c47107b4952c10bd49e339fb42c3011b2797d6f9a1846
SSDEEP

24576:mISz8w+FV5CdMrjV5SC/+K44I752SH5LZuQX0soOtX1O2E4A2uGuukzAGwQkhnQ/:md8P5rtR4D2qZNoO+2bFiAGw3+IBgwt8

Score

10^/10

gh0strat discovery rat upx

Malware Config

Signatures

Gh0st RAT payload 17 IoCs

resource	yara_rule
behavioral2/files/0x000b00000001e695-75.dat	family_gh0strat
behavioral2/memory/2740-91-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4760-94-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1384-97-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2484-100-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2436-103-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/5116-106-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4892-110-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/2040-113-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3804-116-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4868-119-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4512-122-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/232-125-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4080-128-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/1240-131-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/3164-134-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral2/memory/4664-137-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Executes dropped EXE 1 IoCs

pid	Process
448	ÆÆCFÖ÷Çý¶¯.exe

Loads dropped DLL 64 IoCs

pid	Process
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
2740	svchost.exe
4760	svchost.exe
1384	svchost.exe
2484	svchost.exe
2436	svchost.exe
5116	svchost.exe
4892	svchost.exe
2040	svchost.exe
3804	svchost.exe
4868	svchost.exe
4512	svchost.exe
232	svchost.exe
4080	svchost.exe
1240	svchost.exe
3164	svchost.exe
4664	svchost.exe
1248	svchost.exe
2988	svchost.exe
4452	svchost.exe
3004	svchost.exe
3052	svchost.exe
5088	svchost.exe
1576	svchost.exe
1920	svchost.exe
404	svchost.exe
216	svchost.exe
2824	svchost.exe
4688	svchost.exe
3552	svchost.exe
4524	svchost.exe
1896	svchost.exe
3044	svchost.exe
4480	svchost.exe
4844	svchost.exe
4792	svchost.exe
1964	svchost.exe
2624	svchost.exe
4236	svchost.exe
4536	svchost.exe
4164	svchost.exe
336	svchost.exe
3056	svchost.exe
1096	svchost.exe
3596	svchost.exe
5036	svchost.exe
3912	svchost.exe
4660	svchost.exe
4536	svchost.exe
4344	svchost.exe
432	svchost.exe
2764	svchost.exe
3800	svchost.exe
4348	svchost.exe
2040	svchost.exe
4160	svchost.exe
1540	svchost.exe
4432	svchost.exe
2024	svchost.exe
1424	svchost.exe
2344	svchost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ypsoetgnqr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yephleesrx	svchost.exe
File created	C:\Windows\SysWOW64\ytaeydxask	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yswtuftfhs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yysnrlfmcs	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yvudgimjeg	svchost.exe
File created	C:\Windows\SysWOW64\yvudgimjeg	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yjvlclcfhu	svchost.exe
File created	C:\Windows\SysWOW64\yhalugnvva	svchost.exe
File created	C:\Windows\SysWOW64\yhhvryciww	svchost.exe
File created	C:\Windows\SysWOW64\yvoibarulr	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yquyirkicj	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yomuylmywd	svchost.exe
File created	C:\Windows\SysWOW64\yvoibarulr	svchost.exe
File created	C:\Windows\SysWOW64\ydqwdoxqag	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yfsqpchnep	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yfflnbxnke	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ycahwplvtd	svchost.exe
File created	C:\Windows\SysWOW64\ylhphayhgb	svchost.exe
File created	C:\Windows\SysWOW64\yhhvryciww	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yalcusqbbw	svchost.exe
File created	C:\Windows\SysWOW64\yuferttlgl	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yrxjmpodob	svchost.exe
File created	C:\Windows\SysWOW64\yiqbbfarcd	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yoaabmvyqo	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ysqypwyqne	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ynqfyvdsea	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\ygxbqijbji	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe.txt	svchost.exe
File created	C:\Windows\SysWOW64\yksunskogm	svchost.exe
File created	C:\Windows\SysWOW64\ycqmuysoho	svchost.exe
File created	C:\Windows\SysWOW64\ybxwsrhahl	svchost.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3836-2-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-3-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-44-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-48-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-42-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-41-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-38-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-35-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-31-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-29-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-27-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-25-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-21-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-15-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-13-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-4-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-47-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-33-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-23-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-19-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-17-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-11-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-5-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-0-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/3836-109-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2744	2740	WerFault.exe	93
4440	4760	WerFault.exe	100
1916	1384	WerFault.exe	105
2272	2484	WerFault.exe	108
1240	2436	WerFault.exe	111
2628	5116	WerFault.exe	114
4532	4892	WerFault.exe	118
5024	2040	WerFault.exe	121
4496	3804	WerFault.exe	124
2656	4868	WerFault.exe	127
2992	4512	WerFault.exe	130
2808	232	WerFault.exe	135
3436	4080	WerFault.exe	138
3264	1240	WerFault.exe	141
4616	3164	WerFault.exe	144
4948	4664	WerFault.exe	147
116	1248	WerFault.exe	150
4688	2988	WerFault.exe	153
4760	4452	WerFault.exe	156
1324	3004	WerFault.exe	159
1160	3052	WerFault.exe	162
2436	5088	WerFault.exe	165
1240	1576	WerFault.exe	168
5080	1920	WerFault.exe	171
3128	404	WerFault.exe	174
2760	216	WerFault.exe	177
936	2824	WerFault.exe	180
4852	4688	WerFault.exe	183
1780	3552	WerFault.exe	186
3892	4524	WerFault.exe	189
3052	1896	WerFault.exe	192
5048	3044	WerFault.exe	195
3788	4480	WerFault.exe	198
4616	4844	WerFault.exe	201
3696	4792	WerFault.exe	204
3092	1964	WerFault.exe	207
3064	2624	WerFault.exe	210
3588	4236	WerFault.exe	213
4500	4536	WerFault.exe	216
1384	4164	WerFault.exe	219
4056	336	WerFault.exe	223
5048	3056	WerFault.exe	226
3788	1096	WerFault.exe	229
4080	3596	WerFault.exe	232
5080	5036	WerFault.exe	235
1744	3912	WerFault.exe	238
2612	4660	WerFault.exe	242
4368	4536	WerFault.exe	246
2708	4344	WerFault.exe	249
876	432	WerFault.exe	253
4792	2764	WerFault.exe	256
5088	3800	WerFault.exe	259
3092	4348	WerFault.exe	262
4204	2040	WerFault.exe	265
4368	4160	WerFault.exe	268
4544	1540	WerFault.exe	271
3788	4432	WerFault.exe	276
4616	2024	WerFault.exe	280
4576	1424	WerFault.exe	283
4716	2344	WerFault.exe	286
4052	3528	WerFault.exe	289
1376	4204	WerFault.exe	292
4524	5064	WerFault.exe	295
3896	4972	WerFault.exe	298

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÆÆCFÖ÷Çý¶¯.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	448	ÆÆCFÖ÷Çý¶¯.exe
Token: SeRestorePrivilege	448	ÆÆCFÖ÷Çý¶¯.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeRestorePrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeSecurityPrivilege	4760	svchost.exe
Token: SeBackupPrivilege	4760	svchost.exe
Token: SeRestorePrivilege	4760	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeRestorePrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeSecurityPrivilege	1384	svchost.exe
Token: SeSecurityPrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeSecurityPrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeSecurityPrivilege	1384	svchost.exe
Token: SeBackupPrivilege	1384	svchost.exe
Token: SeRestorePrivilege	1384	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeRestorePrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeSecurityPrivilege	2484	svchost.exe
Token: SeSecurityPrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeSecurityPrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeSecurityPrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2484	svchost.exe
Token: SeRestorePrivilege	2484	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeRestorePrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeBackupPrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	2436	svchost.exe
Token: SeSecurityPrivilege	2436	svchost.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 448	3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe	90
PID 3836 wrote to memory of 448	3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe	90
PID 3836 wrote to memory of 448	3836	JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5f6aedfcf522c8ec265fa9a0055c8d44.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Users\Admin\Documents\ÆÆCFÖ÷Çý¶¯.exe
  C:\Users\Admin\Documents\/ÆÆCFÖ÷Çý¶¯.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 772
  2⤵
  - Program crash
  PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2740 -ip 2740
1⤵
PID:3464

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 852
  2⤵
  - Program crash
  PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4760 -ip 4760
1⤵
PID:4536

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 852
  2⤵
  - Program crash
  PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1384 -ip 1384
1⤵
PID:2992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 872
  2⤵
  - Program crash
  PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2484 -ip 2484
1⤵
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 940
  2⤵
  - Program crash
  PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2436 -ip 2436
1⤵
PID:1868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 848
  2⤵
  - Program crash
  PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5116 -ip 5116
1⤵
PID:2832

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 868
  2⤵
  - Program crash
  PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4892 -ip 4892
1⤵
PID:3112

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 848
  2⤵
  - Program crash
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2040 -ip 2040
1⤵
PID:216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 924
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3804 -ip 3804
1⤵
PID:2300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 868
  2⤵
  - Program crash
  PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4868 -ip 4868
1⤵
PID:2740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4512
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 1076
  2⤵
  - Program crash
  PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4512 -ip 4512
1⤵
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 928
  2⤵
  - Program crash
  PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 232 -ip 232
1⤵
PID:3052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 872
  2⤵
  - Program crash
  PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4080 -ip 4080
1⤵
PID:376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 876
  2⤵
  - Program crash
  PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1240 -ip 1240
1⤵
PID:5048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 876
  2⤵
  - Program crash
  PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3164 -ip 3164
1⤵
PID:4768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 872
  2⤵
  - Program crash
  PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4664 -ip 4664
1⤵
PID:4892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 1104
  2⤵
  - Program crash
  PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1248 -ip 1248
1⤵
PID:2760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 884
  2⤵
  - Program crash
  PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2988 -ip 2988
1⤵
PID:3464

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 1088
  2⤵
  - Program crash
  PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4452 -ip 4452
1⤵
PID:3224

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 1040
  2⤵
  - Program crash
  PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3004 -ip 3004
1⤵
PID:4500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 872
  2⤵
  - Program crash
  PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3052 -ip 3052
1⤵
PID:1896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5088 -s 1040
  2⤵
  - Program crash
  PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5088 -ip 5088
1⤵
PID:4972

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 860
  2⤵
  - Program crash
  PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1576 -ip 1576
1⤵
PID:432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 908
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1920 -ip 1920
1⤵
PID:4280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 868
  2⤵
  - Program crash
  PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 404 -ip 404
1⤵
PID:2344

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 932
  2⤵
  - Program crash
  PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 216 -ip 216
1⤵
PID:2040

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 920
  2⤵
  - Program crash
  PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2824 -ip 2824
1⤵
PID:2912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 872
  2⤵
  - Program crash
  PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4688 -ip 4688
1⤵
PID:4868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 836
  2⤵
  - Program crash
  PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3552 -ip 3552
1⤵
PID:3248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 864
  2⤵
  - Program crash
  PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4524 -ip 4524
1⤵
PID:1144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 872
  2⤵
  - Program crash
  PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1896 -ip 1896
1⤵
PID:3016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 884
  2⤵
  - Program crash
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3044 -ip 3044
1⤵
PID:2484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 864
  2⤵
  - Program crash
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4480 -ip 4480
1⤵
PID:5116

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 884
  2⤵
  - Program crash
  PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4844 -ip 4844
1⤵
PID:4620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1104
  2⤵
  - Program crash
  PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4792 -ip 4792
1⤵
PID:2784

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1040
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1964 -ip 1964
1⤵
PID:4968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 932
  2⤵
  - Program crash
  PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2624 -ip 2624
1⤵
PID:2744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 928
  2⤵
  - Program crash
  PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4236 -ip 4236
1⤵
PID:4408

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 856
  2⤵
  - Program crash
  PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4536 -ip 4536
1⤵
PID:4512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 852
  2⤵
  - Program crash
  PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4164 -ip 4164
1⤵
PID:2712

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 1104
  2⤵
  - Program crash
  PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 336 -ip 336
1⤵
PID:1160

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 1104
  2⤵
  - Program crash
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3056 -ip 3056
1⤵
PID:2252

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1096
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 928
  2⤵
  - Program crash
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1096 -ip 1096
1⤵
PID:4432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 948
  2⤵
  - Program crash
  PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3596 -ip 3596
1⤵
PID:1048

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 872
  2⤵
  - Program crash
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5036 -ip 5036
1⤵
PID:4892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1088
  2⤵
  - Program crash
  PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3912 -ip 3912
1⤵
PID:2740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 1040
  2⤵
  - Program crash
  PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4660 -ip 4660
1⤵
PID:2016

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 924
  2⤵
  - Program crash
  PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4536 -ip 4536
1⤵
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 1112
  2⤵
  - Program crash
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4344 -ip 4344
1⤵
PID:4436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 916
  2⤵
  - Program crash
  PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 432 -ip 432
1⤵
PID:4532

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2764
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 860
  2⤵
  - Program crash
  PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2764 -ip 2764
1⤵
PID:4924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1040
  2⤵
  - Program crash
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3800 -ip 3800
1⤵
PID:1588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1028
  2⤵
  - Program crash
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4348 -ip 4348
1⤵
PID:1580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1040
  2⤵
  - Program crash
  PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2040 -ip 2040
1⤵
PID:4512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1044
  2⤵
  - Program crash
  PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4160 -ip 4160
1⤵
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 852
  2⤵
  - Program crash
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1540 -ip 1540
1⤵
PID:456

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 868
  2⤵
  - Program crash
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4432 -ip 4432
1⤵
PID:1216

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1040
  2⤵
  - Program crash
  PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2024 -ip 2024
1⤵
PID:1608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 872
  2⤵
  - Program crash
  PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1424 -ip 1424
1⤵
PID:4816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:2344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 864
  2⤵
  - Program crash
  PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2344 -ip 2344
1⤵
PID:664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:3528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 880
  2⤵
  - Program crash
  PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3528 -ip 3528
1⤵
PID:4784

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 852
  2⤵
  - Program crash
  PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4204 -ip 4204
1⤵
PID:2300

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:5064
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 908
  2⤵
  - Program crash
  PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5064 -ip 5064
1⤵
PID:4656

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1040
  2⤵
  - Program crash
  PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4972 -ip 4972
1⤵
PID:4280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1104
  2⤵
  PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2824 -ip 2824
1⤵
PID:3824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1048
  2⤵
  PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1384 -ip 1384
1⤵
PID:2260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 1040
  2⤵
  PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4536 -ip 4536
1⤵
PID:1716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 868
  2⤵
  PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4844 -ip 4844
1⤵
PID:5080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1096
  2⤵
  PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4632 -ip 4632
1⤵
PID:5088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1056
  2⤵
  PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4812 -ip 4812
1⤵
PID:1560

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 928
  2⤵
  PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 548 -ip 548
1⤵
PID:3184

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 928
  2⤵
  PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2956 -ip 2956
1⤵
PID:552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 872
  2⤵
  PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2912 -ip 2912
1⤵
PID:2236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 884
  2⤵
  PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3892 -ip 3892
1⤵
PID:1960

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 1048
  2⤵
  PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4504 -ip 4504
1⤵
PID:1288

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 928
  2⤵
  PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4164 -ip 4164
1⤵
PID:4768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 872
  2⤵
  PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4480 -ip 4480
1⤵
PID:1748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1104
  2⤵
  PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3804 -ip 3804
1⤵
PID:4620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 932
  2⤵
  PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1928 -ip 1928
1⤵
PID:4844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1040
  2⤵
  PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3552 -ip 3552
1⤵
PID:4632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:3696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 840
  2⤵
  PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3696 -ip 3696
1⤵
PID:4812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 872
  2⤵
  PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2744 -ip 2744
1⤵
PID:3800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 872
  2⤵
  PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4760 -ip 4760
1⤵
PID:2956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 872
  2⤵
  PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4524 -ip 4524
1⤵
PID:2912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 1040
  2⤵
  PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2032 -ip 2032
1⤵
PID:3892

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 872
  2⤵
  PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4408 -ip 4408
1⤵
PID:1572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 864
  2⤵
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1216 -ip 1216
1⤵
PID:3052

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 884
  2⤵
  PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4344 -ip 4344
1⤵
PID:3264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 876
  2⤵
  PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1920 -ip 1920
1⤵
PID:448

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1100
  2⤵
  PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4400 -ip 4400
1⤵
PID:2024

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 852
  2⤵
  PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1248 -ip 1248
1⤵
PID:1584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 1040
  2⤵
  PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1376 -ip 1376
1⤵
PID:4968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 1040
  2⤵
  PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2956 -ip 2956
1⤵
PID:3900

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:2912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 848
  2⤵
  PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2912 -ip 2912
1⤵
PID:1684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 872
  2⤵
  PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 540 -ip 540
1⤵
PID:3468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 864
  2⤵
  PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2872 -ip 2872
1⤵
PID:3936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 920
  2⤵
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2436 -ip 2436
1⤵
PID:1792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 852
  2⤵
  PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1848 -ip 1848
1⤵
PID:3264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3016
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 864
  2⤵
  PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3016 -ip 3016
1⤵
PID:4576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 828
  2⤵
  PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2964 -ip 2964
1⤵
PID:4844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1012
  2⤵
  PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2784 -ip 2784
1⤵
PID:4816

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 744
  2⤵
  PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5060 -ip 5060
1⤵
PID:1992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 868
  2⤵
  PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1300 -ip 1300
1⤵
PID:2700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 872
  2⤵
  PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4036 -ip 4036
1⤵
PID:4716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 860
  2⤵
  PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 740 -ip 740
1⤵
PID:3248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 864
  2⤵
  PID:2268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4772 -ip 4772
1⤵
PID:3468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 932
  2⤵
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1288 -ip 1288
1⤵
PID:2624

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1040
  2⤵
  PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4652 -ip 4652
1⤵
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 1044
  2⤵
  PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1956 -ip 1956
1⤵
PID:432

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 948
  2⤵
  PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 808 -ip 808
1⤵
PID:4696

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 872
  2⤵
  PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1076 -ip 1076
1⤵
PID:1436

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1588
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 1104
  2⤵
  PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1588 -ip 1588
1⤵
PID:2964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 884
  2⤵
  PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4948 -ip 4948
1⤵
PID:2128

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 952
  2⤵
  PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2852 -ip 2852
1⤵
PID:1944

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4780
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 884
  2⤵
  PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4780 -ip 4780
1⤵
PID:1228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 864
  2⤵
  PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2356 -ip 2356
1⤵
PID:1744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 864
  2⤵
  PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3580 -ip 3580
1⤵
PID:2020

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 876
  2⤵
  PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 740 -ip 740
1⤵
PID:3188

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 864
  2⤵
  PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1044 -ip 1044
1⤵
PID:1684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 856
  2⤵
  PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3896 -ip 3896
1⤵
PID:3584

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 852
  2⤵
  PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 844 -ip 844
1⤵
PID:1716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 864
  2⤵
  PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2168 -ip 2168
1⤵
PID:3004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 864
  2⤵
  PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4480 -ip 4480
1⤵
PID:3788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4620
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1016
  2⤵
  PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4620 -ip 4620
1⤵
PID:1092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1028
  2⤵
  PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2028 -ip 2028
1⤵
PID:3804

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 868
  2⤵
  PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3456 -ip 3456
1⤵
PID:4632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3168
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 864
  2⤵
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3168 -ip 3168
1⤵
PID:628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 856
  2⤵
  PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 664 -ip 664
1⤵
PID:4452

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2344
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 876
  2⤵
  PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2344 -ip 2344
1⤵
PID:3812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 864
  2⤵
  PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 548 -ip 548
1⤵
PID:4064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1100
  2⤵
  PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3248 -ip 3248
1⤵
PID:4500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 864
  2⤵
  PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3912 -ip 3912
1⤵
PID:1684

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3872
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 844
  2⤵
  PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3872 -ip 3872
1⤵
PID:3824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 868
  2⤵
  PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2624 -ip 2624
1⤵
PID:4608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 872
  2⤵
  PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1792 -ip 1792
1⤵
PID:4284

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 928
  2⤵
  PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3264 -ip 3264
1⤵
PID:64

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1092
  2⤵
  PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4628 -ip 4628
1⤵
PID:3596

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 860
  2⤵
  PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5080 -ip 5080
1⤵
PID:2964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 864
  2⤵
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5024 -ip 5024
1⤵
PID:2768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 860
  2⤵
  PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3092 -ip 3092
1⤵
PID:3760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 884
  2⤵
  PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4792 -ip 4792
1⤵
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 872
  2⤵
  PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4400 -ip 4400
1⤵
PID:1744

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 1036
  2⤵
  PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3800 -ip 3800
1⤵
PID:3012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 920
  2⤵
  PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4348 -ip 4348
1⤵
PID:3468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 848
  2⤵
  PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1352 -ip 1352
1⤵
PID:4204

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 680
  2⤵
  PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4656 -ip 4656
1⤵
PID:2664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:540
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 868
  2⤵
  PID:1716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 540 -ip 540
1⤵
PID:3628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 928
  2⤵
  PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2320 -ip 2320
1⤵
PID:4692

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 872
  2⤵
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 432 -ip 432
1⤵
PID:2884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 952
  2⤵
  PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3264 -ip 3264
1⤵
PID:1096

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 852
  2⤵
  PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4188 -ip 4188
1⤵
PID:2764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1028
  2⤵
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4636 -ip 4636
1⤵
PID:2768

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 856
  2⤵
  PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5116 -ip 5116
1⤵
PID:1580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 860
  2⤵
  PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1828 -ip 1828
1⤵
PID:3236

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 860
  2⤵
  PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3404 -ip 3404
1⤵
PID:4924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 848
  2⤵
  PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4460 -ip 4460
1⤵
PID:1376

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 916
  2⤵
  PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2744 -ip 2744
1⤵
PID:4280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 844
  2⤵
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2416 -ip 2416
1⤵
PID:3304

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 876
  2⤵
  PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4312 -ip 4312
1⤵
PID:2912

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 876
  2⤵
  PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5048 -ip 5048
1⤵
PID:3588

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 848
  2⤵
  PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1672 -ip 1672
1⤵
PID:876

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 924
  2⤵
  PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2772 -ip 2772
1⤵
PID:3056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 876
  2⤵
  PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1660 -ip 1660
1⤵
PID:4576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1792
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 952
  2⤵
  PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1792 -ip 1792
1⤵
PID:4868

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:3116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 1088
  2⤵
  PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3116 -ip 3116
1⤵
PID:916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 848
  2⤵
  PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3084 -ip 3084
1⤵
PID:5080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 756
  2⤵
  PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2128 -ip 2128
1⤵
PID:1580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1048
  2⤵
  PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4892 -ip 4892
1⤵
PID:4952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:2636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 864
  2⤵
  PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2636 -ip 2636
1⤵
PID:652

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 908
  2⤵
  PID:1180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1268 -ip 1268
1⤵
PID:4968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4716
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 876
  2⤵
  PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4716 -ip 4716
1⤵
PID:3616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 872
  2⤵
  PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4104 -ip 4104
1⤵
PID:4496

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:1936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 864
  2⤵
  PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1936 -ip 1936
1⤵
PID:3248

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 928
  2⤵
  PID:3212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4456 -ip 4456
1⤵
PID:1748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1052
  2⤵
  PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1212 -ip 1212
1⤵
PID:4772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1048
  2⤵
  PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3896 -ip 3896
1⤵
PID:556

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1104
  2⤵
  PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4652 -ip 4652
1⤵
PID:1056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:2656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 876
  2⤵
  PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2656 -ip 2656
1⤵
PID:1916

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 876
  2⤵
  PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1848 -ip 1848
1⤵
PID:4476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 864
  2⤵
  PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5108 -ip 5108
1⤵
PID:1144

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1092
  2⤵
  PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2784 -ip 2784
1⤵
PID:628

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 928
  2⤵
  PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3760 -ip 3760
1⤵
PID:1992

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1028
  2⤵
  PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1052 -ip 1052
1⤵
PID:3592

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 840
  2⤵
  PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 452 -ip 452
1⤵
PID:3812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 928
  2⤵
  PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4760 -ip 4760
1⤵
PID:5064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 868
  2⤵
  PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1060 -ip 1060
1⤵
PID:4836

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 848
  2⤵
  PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4204 -ip 4204
1⤵
PID:2896

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 868
  2⤵
  PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3212 -ip 3212
1⤵
PID:1716

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 864
  2⤵
  PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2664 -ip 2664
1⤵
PID:2824

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 1020
  2⤵
  PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4408 -ip 4408
1⤵
PID:4576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- System Location Discovery: System Language Discovery
PID:4544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 868
  2⤵
  PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4544 -ip 4544
1⤵
PID:1092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1048
  2⤵
  PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4012 -ip 4012
1⤵
PID:4616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 848
  2⤵
  PID:2900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1848 -ip 1848
1⤵
PID:3264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5108
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 864
  2⤵
  PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5108 -ip 5108
1⤵
PID:1400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 856
  2⤵
  PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4952 -ip 4952
1⤵
PID:3092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 868
  2⤵
  PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1084 -ip 1084
1⤵
PID:5060

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3812
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 860
  2⤵
  PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3812 -ip 3812
1⤵
PID:4812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:2972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 848
  2⤵
  PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2972 -ip 2972
1⤵
PID:3800

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 864
  2⤵
  PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 456 -ip 456
1⤵
PID:4512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 848
  2⤵
  PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4348 -ip 4348
1⤵
PID:3044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 876
  2⤵
  PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1788 -ip 1788
1⤵
PID:1044

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 864
  2⤵
  PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1124 -ip 1124
1⤵
PID:2484

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 864
  2⤵
  PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5072 -ip 5072
1⤵
PID:1056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 856
  2⤵
  PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1576 -ip 1576
1⤵
PID:1272

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 824
  2⤵
  PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1092 -ip 1092
1⤵
PID:4264

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1048
  2⤵
  PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3000 -ip 3000
1⤵
PID:1700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1048
  2⤵
  PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4476 -ip 4476
1⤵
PID:4012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 868
  2⤵
  PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5080 -ip 5080
1⤵
PID:2900

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 864
  2⤵
  PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5024 -ip 5024
1⤵
PID:2552

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:5044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 900
  2⤵
  PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5044 -ip 5044
1⤵
PID:936

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 848
  2⤵
  PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4712 -ip 4712
1⤵
PID:2308

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4936
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1040
  2⤵
  PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4936 -ip 4936
1⤵
PID:5064

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 860
  2⤵
  PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3964 -ip 3964
1⤵
PID:4368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 756
  2⤵
  PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 336 -ip 336
1⤵
PID:1352

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1020
  2⤵
  PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3892 -ip 3892
1⤵
PID:1924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 868
  2⤵
  PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3584 -ip 3584
1⤵
PID:1492

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Drops file in System32 directory
PID:4160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 872
  2⤵
  PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4160 -ip 4160
1⤵
PID:3748

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:3648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 852
  2⤵
  PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3648 -ip 3648
1⤵
PID:2708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 860
  2⤵
  PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4164 -ip 4164
1⤵
PID:4568

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 860
  2⤵
  PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1272 -ip 1272
1⤵
PID:2904

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\ÆÆCFÖ÷Çý¶¯.exe

Filesize
188KB

MD5
7ca42968561ee3bf40db27bab1183a2e

SHA1
aed5be730cf3ea9760a2347490d8f39432f405c6

SHA256
f2c9d69864a3968cb043d9ea5639ac786724e25df989a8400b251c321ecd93ac

SHA512
df8728c284cdff3ea9d11f3d1566edc26fc9bcff007964a0fef589f165f78f6c8ad4380fa39a2d421d747eed73ae0efc4a7df548147834f8e8ff5941708a0a34

Download Submit
C:\Windows\SysWOW64\2.mp3

Filesize
120KB

MD5
c3adbb35a05b44bc877a895d273aa270

SHA1
8afe20d8261d217fd23ccfe53bd45ad3bec82d2d

SHA256
b2b2ea9737587313d420bde96a42063c002a83e35d9f987f8ec0d5d4d96c262c

SHA512
614dc24e3368047d68e2833ecdf9cda1f5ef290fc74287769a70df46bfa937386ce2e1332b3bada0f7e54b470ecdfe7c8bbd4ec3fa1c815f52993bb7edb93afc

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
510B

MD5
b2721170fbf017b9812f1968e2940958

SHA1
280c749e4c89f3ed7423ba3e9b3727ed1869ad5b

SHA256
f348a9debdaf38c0cd26429eefac17eca7e43a85b77cbcb9d09f60f5977978b0

SHA512
7d1e4f95f900f9121b8a206dd24b68c288db03fcfdfb921c91ec8ce6dae09d6f1c400338f4e6713153167ea1b03e70c7109001416e3c862ac8ba303201ef13e9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
612B

MD5
93f70c9440b769861d9db3ca41eb1ad1

SHA1
50c95dc9d17a4007062aea51b4a3f6c5861d7204

SHA256
f56f3b3864d0ccf51d4b1343db23dc383b47c0b4da92b1dbba97db1082ca0b74

SHA512
487666cf9bd23d66a448def9b52d9be99a07deaf664c3f0d8b976ad21c4653b6eef6ac743d0e0e23a198239521d4453cbcc8b4aef834a21b0c952c5a82c536de

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
714B

MD5
ad0de153288bfb3d507a7fd353be2c25

SHA1
6933af6044db7f39612bc32d95264e97c52137d8

SHA256
56d0e922d761b3748472ab628772fee09c8d78c1e2176bb6cba043d878042519

SHA512
be07dde01a299f5d15b002402d99e341d03cc9c42f792e15d7e0f82c655ef3ce2c5bc3fae9a49006ef5a6556a7beac71d66df688f399f1497a74c81b8b91475f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
816B

MD5
d7594fdc9aa715e739224d8aefd8b9f2

SHA1
c0dd57508dc8b92296cac619d219f2b7e58df1ff

SHA256
aed784776613683e55c8bc7ed761ebeeb554295b4761a022533be8f1fbc688a8

SHA512
a52e0511ea4dc6dd39dd8139b0f342b3adb4a2e903688a81bc6a2d871e27ff659d878d4e07eab1c499c9a21059c341470995e1eca2523c2686770d7e21c4da06

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
918B

MD5
40b21c625addd32543cb27f33e81015d

SHA1
dd12c06c4e6816270aa0177e406f7e71a6e0c9f2

SHA256
85153d71b5d70ed4ce27b2d6a31bf1d9b4d205f87cd284161235aa95e65867a9

SHA512
6140f97509c5c89821b806789dd3083af7a6e42a86e068e27a8777eafe29f4835191e49634cd707a145aa1bc5463ad2d96d630ad81239b5bdd7f04a4323b9c5f

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1020B

MD5
67df86363a13d695fd3ad263ab9969fc

SHA1
7fdaa51b6a962a524323ffd29f446be4430816e3

SHA256
a32cee218fc1acb7f4128daa2a5be5375ba986c1318b8ea11ce40a2cab9748bf

SHA512
9835fe8a81a48e32c5a44962475e0f0e140c9044974f767ef7d031f106419e6964b8c8e707634f88e03249ae558a7ae1be5fcd36eb7a911f11832acc12448e5c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
e7a36447cbdb6ddb7833e527dca1aea7

SHA1
a64898648c84080d92e6357cf5d87a0c4217694a

SHA256
c86156cb2551f6f810ccfc9789afb5b44984cfc0e3122f62bf1acf60f930bead

SHA512
a0cb4213b3d25dfa45a7e58ed27a6f048d3c503213c13ea16bb049ccc1a5cac4d735355338fed7d9690942de9b40dc4be16283c07f3a808218695ce8087f3d52

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
94cd273d0135e219ff7743e66fd0499b

SHA1
63a21512024fe7ad8b747046c6f6348241c10a41

SHA256
9b161f1e11f0afd50cd9cb38d36ac0348cdfc4e562dbd5815355c189f56d7148

SHA512
b919a0ec7d422ff2875b1d404e6c8cf35fdbaab16ab439d0395e19e02106ac0dece0fa7c5e60530a84f77852a7ee2f0af0781b17291dad70c548ed4746581528

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
d866bfe3dab94cc498b7ca883f3e2fe7

SHA1
a67cca3a6c4ee6b68090025bc65fe5edf1a19057

SHA256
957fe41d13b744c6f08eb4ad02039752a8aafe00eb17b91d3c55a6011ccaea8d

SHA512
f38f7bfce6bf4e7b1914d4156ee4cbd7c8ee688bb445672b3100459212d02e022671e7d211634593ac13c5bc6d05aea455071c24c66df920f11ad9614450b343

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
bbb8c96d7f92c93ce2d0d0227be3373c

SHA1
6f34adebd6ef1004e04f55dc69414b87a3b6cd2a

SHA256
382a1448bac1082a1e8f5df8c559ecde7a9bc7dfce690622294d64fd8679afc3

SHA512
610c7143b2deafaefeef9a638e5d24f1331fac29f5fb002d629cafae3d8ede247ce47d1a6678ac7a4dfef72d78dc36642d29fe7c1b07a4ee140d31ffddd1b2d1

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
e36cda555b4d8aae270ce0c90002aee3

SHA1
da77135c6767154f9bbeeef34a0590dee0af9e5e

SHA256
dd24ab29611a5181069c9ed22d7ef34e6d6bcdab06bca8f5b1f175e065e86b94

SHA512
59af4635f000b9c4b2e71bb5596a2bb38bffbd1e88f89ee83702ca4ee434e42397e7b01a17812be1b69ed75bbf4468e6707eb431d4a3346acb45561ec481d473

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
80bf7ca018734e939d17e43b8025901c

SHA1
4ed88250d8185f3d8fad2093b67603fc609dd555

SHA256
7fd2af85a79098c4ad965de455b3fdd293a9a840e8a1bea17e69bf9480df0b3e

SHA512
44dd25b5f6ea2c728bbae93daf89292a3604327b00382c753412f33aca98ed6285fa8cc79cd1df233fd7569d8058f1e164c4dd79dc262a2aaf78ad1d2c68ecb9

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
bfcea40a427ce6b9333eec9fdd24395a

SHA1
eac3c27ee7622fe219e0e5589848ccd87eca19ae

SHA256
c2c19b1f33e985485a9a6804fbec125139a169b9b4e6aaa11a359f9ca70dc074

SHA512
1094a92922fbf0c516765b1a26c05841cb0bf3205f475051e0ee413d17d1974a82c394b5ddaf6d9212acc5d34d4138fbebf5a948d947f1eee9dac5dab83b2921

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
a1e1df24b7616c6698f5a2c1bd28a386

SHA1
3dbd3dded06bab78392d1e9139c6ed16049ea36b

SHA256
d77f7dc28a550cbe632e43d632d88ed43db9288f06d260c3a8691e1e6bb6641f

SHA512
4a3bf78cf21d633d04a343bde3459cf6b5d65719922f280d065caa70ddf1cd8a4eda448a87eeae49acf0a1ff8ecea9bfcef26017ca3f107fc617ed25fba9de12

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
269a1e220eed1c8f13421c3c754432b3

SHA1
e0c51908ae7453feda276b66076c9d42437e6ffc

SHA256
01f9e35c6c0ae27ae3a675f5d0cfdd3a8a02cc52c0aac78502e3abcf0f372db9

SHA512
c729f9b56e9f1fb4d719df99e76d50f3f6495cc3d00b5afbe02781284fa5b22fc20e004ec3d5c40a75fe0b4e5736c708533feaf42248d0effe913da23cb71bec

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
1KB

MD5
d6f7800d80cc8daac939fc220fa2eee9

SHA1
dbc676a77da13a529a72c5ceba471d2c81c4d173

SHA256
9f7e351289a8d4a35cb1ea4a2a7db9c905ac72a2836621f24a867cd4d86e668a

SHA512
6f1c188e120b3de4b8035384f5e3a8a337faa9ba6bdf8d942eb3e021a764c66ca3b225b458f09f4dada92e748447320eef550d00c0826002c94c520e1b68059c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
c7e9b5266af8bb40b862c2c9978bc2b6

SHA1
21803f8e495c0472c8ffcbb4d631748ccb789eec

SHA256
3970039171b3c3e2ddf5a1d760bf2899a77b1723c99c040b8b071d876d32eac8

SHA512
75238f3d8f783102972d30e0b32019e656c88d0f0f26313572d56adf746e6ffe5ab8855a1fb4fac2d2b81505ac123260d9d927f6f92848b3b4c122bbf2cddd92

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
c6d5dcbfaafe844f75c9fd81d8df092b

SHA1
33ac9f8ac2f76e232ea7a00bd22d9b44500e7d35

SHA256
41339a9dde2bed7e3b47054608aaa54bde8364c2a821407468753c4b3b9eadad

SHA512
a2dee407ee36807c3bfef40ab145fe8cfe3618211ea7e715d654521a0bc4b2cb05a8c80f8a354214bc8e479edd46fa634324beb93d5a18d03ae325a44623304b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
20678df7fb9d39afbc9b67e0feed24b7

SHA1
a194b71e27bbd2435bde88d0ab0c3bf23b040f25

SHA256
2100a20590df96693d1d5f885bc0c167e2ff873921b1348c06b948902add91bb

SHA512
3d804cc59297074e324371f1bf94dcd2c696af7e257bd3923581c2b43317b9d1f4ecfc111ae761ec9f6daa5e01a335445ad37d8f05ec3e3864bafdd600248f9b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
ebe6368c014629c4e4ebce44ff1ab64e

SHA1
b1ad86d15521ccf438bf7fcfa684327ae0b56f9e

SHA256
17e2b6ce73eb59a819d7d45143c725b9ed90810c0a327ad2b670bdc65c485dc5

SHA512
b580ccd6c20d23ab012d8ea07f110841805c92a215b9d8a3ac0a800e35f772eca717bc0d489df40adba27973eb9f6143021da8739a29432a322c91302db9337c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
f323b95b27923f44f0c3582d4dfa0cf2

SHA1
ae1bb15c6957d7ee81461fc154f2adaf32fa259d

SHA256
a0093ace1e9f482e935f9c9cf76cd5e290548a4c90df26e706137fcce24b52e5

SHA512
76f56a228c78328ba135ba6d2fbe503d788aa5220439548bf7de7f2e557ef5bcaf4e7d7ff62f75138cdeefd76593ab0ad79aafe374275a9f6ee53b1753cfb868

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
89e9c563a61cc005c1a0d007e3dd3e9e

SHA1
23368f1718ce0d744e9869f6972137365729ad60

SHA256
361b0615abf5f890c7aed19a66aa03fb54c0081f58f1c07674dd5eeea2253a6d

SHA512
c437c1e074d17d22fead55ab929c8e1706c1e7da68b05240aaf5c671cb866002fcdb6726c5c048d00f4a4f6b2d2b84beb720a51ee9e868fb352832a3e6701e03

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
1f4eb23cf5dd9a9ca69233ba3d5d2cc1

SHA1
efa882a5da660bedbc571d28ce1d16ee1cfd8e86

SHA256
29f2f00df454c778fac48da05481ed894d46a9abefe4ca537576f3a5bbf615ec

SHA512
74c5b61df9c2c83dfeb6ff78f909a85f85a68b51abf447e9d035b7cbad1b293b18e725c9ef9a1cf3beb087dbcd5b42ffe677db063755f99a1784cb41ba773869

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
b4cd4630b1133acea30a5ade2ba13925

SHA1
95929b4c8757fb13e80b8353b36118e244e9e611

SHA256
b5e882a44e8dddef0080a09448b58e04978c4edc1b573e6e9d503f11b45058ba

SHA512
23f19cd5a2756af19858d4e14ddc1727bf671a702f297e4dc8768c3b30b84bd9b7c108bafa471d1a4737e10ca8333a250152873f1be062abdf2cb1e4f0cb564c

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
2KB

MD5
8e45721cb5adab5832be2ebcc82bbb7d

SHA1
0d747296f0d3ba074b8fc7903e5dd78a556913dc

SHA256
149880be12a597362e23c12d7e2379da2177722ef3162bb739b56b3ef61103ff

SHA512
30e9a6981e67357fe9bb2a648a510a198a8b38502c78470fc366c7c437c158a14a651bdcb8524991e121ed423ed4fc4a8c7fd0ab7818e8e8d469b88e99cb15a0

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
204B

MD5
97a1ada0496b42dcf82aa219185aafdc

SHA1
8ee473d0d823d015b51ca3f267f91653d248bf9f

SHA256
44c0c00bd049122fe11f7dee0552a41db6acebf9f4ffcf68d5c4d86da7bd1ead

SHA512
18a3603fe0303d235f1a93fbd8edc117b621f9a454bfe9b730f6290a8631353c7dc0f1c97ad14a87e7ab1d680114263272a1ee11aca3abdb25ca4c39fb4d643b

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
306B

MD5
a755070a27fec9b2e6e59697247b0c96

SHA1
f2e66ffd36535e640ec7652f5b6effa5501e0054

SHA256
8a77c82b8b696e5ecf26b4d062502367372d5ee50dd82134ac6de4f1b4701a29

SHA512
5ccf8583587b38f0d14a2791efae9612ff491e5a5bdbcfa98005a3eb0cee4bb300df02a2ae92f44ffba403cd113da346a49eb02a61c954236c549ef3010c1894

Download Submit
C:\Windows\SysWOW64\svchost.exe.txt

Filesize
366B

MD5
d681f0e768f6b673104bffdc0f885f06

SHA1
992a7b3d589e1dd5a9ca343acff016e15a6104db

SHA256
4d613adc770d5a9ea195272168b3d824851ae11c999f424ffefaf3b235e345bb

SHA512
8f03e29219c91bbe9a232423f0f59b82a7f0734fb62b1aef5d36dd534032a7b1883a3f269c65fa4dbc11073fe08493a3728fe6a1c4d1baf0706eba0ead782dfb

Download Submit
\??\c:\users\admin\applic~1\tnjeg\pupcv.dlc

Filesize
512KB

MD5
712f24db2607d60039798fa541350a77

SHA1
32bcfdb03f273fc1a79084d679e455503a038d94

SHA256
6e972587d47ecb283784d4af12e921a1fa9374d6a134ae91a7d247778cd61b0c

SHA512
334f90e24bcc2fc7d0b7c8d820bb76ba13f19b59ff69d2a5d40923ba9ca0cf785828ae16e87f1273d3be53c55c52c9643420044b1ce24d07e01ef57e11fbf320

Download Submit
memory/232-125-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1240-131-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/1384-97-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2040-113-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2436-103-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2484-100-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2740-91-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3164-134-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3804-116-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3836-33-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-27-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-109-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-3-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-11-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-44-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-17-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-5-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-19-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-48-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-23-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-42-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-41-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-2-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-47-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-38-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-4-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-0-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-55-0x0000000003570000-0x0000000003591000-memory.dmp

Filesize
132KB

Download
memory/3836-13-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-35-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-15-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-21-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-25-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-29-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/3836-31-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/4080-128-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4512-122-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4664-137-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4760-94-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4868-119-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/4892-110-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/5116-106-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download