Malware Analysis Report

2025-01-22 15:11

Sample ID 240220-kecw3sdg7y
Target ahk.exe
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82

Threat Level: Known bad

The file ahk.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcurs Rat Executable

Orcus family

Orcus

Orcus main payload

Orcurs Rat Executable

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 08:30

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 08:30

Reported

2024-02-20 08:47

Platform

win7-20231215-en

Max time kernel

33s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Data\CheckUpdate.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2516 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2516 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2440 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2440 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2440 wrote to memory of 2836 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2516 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2516 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2516 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2516 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2516 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2516 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 3004 wrote to memory of 1180 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 3004 wrote to memory of 1180 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 3004 wrote to memory of 1180 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2552 wrote to memory of 1196 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 1196 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 1196 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 1196 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1196 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1196 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1196 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1196 wrote to memory of 528 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 528 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2012 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 1468 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 1468 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 1468 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 1468 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1468 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1468 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1468 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1468 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3048 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 3048 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 3048 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 3048 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 744 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 744 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 744 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2552 wrote to memory of 744 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 744 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 744 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 744 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 744 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2460 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2460 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 920 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ahk.exe

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gfrzg-o9.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4683.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4672.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\System32\Data\CheckUpdate.exe

"C:\Windows\System32\Data\CheckUpdate.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3F2487BB-231B-473A-9E7F-55F547EE45DD} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Windows\System32\Data\CheckUpdate.exe

C:\Windows\System32\Data\CheckUpdate.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 548

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 528

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 540

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 548

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 540

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 540

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 528

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 552

C:\Windows\System32\Data\CheckUpdate.exe

C:\Windows\System32\Data\CheckUpdate.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp

Files

memory/2516-0-0x00000000021E0000-0x000000000223C000-memory.dmp

memory/2516-1-0x0000000000500000-0x000000000050E000-memory.dmp

memory/2516-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2516-3-0x0000000002060000-0x00000000020E0000-memory.dmp

memory/2516-4-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\gfrzg-o9.cmdline

MD5 8236b522d94c68809178b3d9c895f5ba
SHA1 82b9029067110677ec7eafe0ca59649d00ad8346
SHA256 69ebe1144a4e55d30ce3f744f92c4e6f1b95e0505d07a5abb33d1373e82c10b8
SHA512 35aea35d018181b23961b9b3ac03d7b9c0bc27bcc9a77dfe0de715594fa07d206a11bdcc8534afd473911565b6ce4eff15b868373db3aee78935513feb57cb44

\??\c:\Users\Admin\AppData\Local\Temp\gfrzg-o9.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

memory/2440-10-0x00000000007E0000-0x0000000000860000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC4672.tmp

MD5 8a3f506dce6250cca4e5919648896b3b
SHA1 63964558373b36e6123a4273ac970541c97df54d
SHA256 da17ee7cef93d473e567bec55809784c6f8c7cf64025a45fc259bc652e1187ec
SHA512 6aebe2410eac64c157680310f43cbc6f4231eab4773c2c478ccceaae39714d6c2f081363e0ec110341bbeea2e3c6a5af439422c082b9569cfac01f15e144501b

C:\Users\Admin\AppData\Local\Temp\RES4683.tmp

MD5 06f7e20f5d3d3ac5a3d5523957905c47
SHA1 8036b14b64a2ae36ded6de9fe152cef7e5f7be4b
SHA256 7cb91aadc85b49486bc98f082335339d23c059b3b36cfc0aadd46d366298dad7
SHA512 550ae6b0bae90ddb19fbac191c673d2f43ac036f3f563e72a7f59ac37975f1f831be9ac7134003b48a3e236d40d1911d28e5bd9b03b6311a520e16c0c681e2c6

C:\Users\Admin\AppData\Local\Temp\gfrzg-o9.dll

MD5 bacc610fd8491f03fe5cce8a73130cd8
SHA1 731e7fe1b85f172531b01526de9d666d49a193e4
SHA256 555a76ca41e7e6e8db15060c2d9e351c7bef95216a3f03dd6b0c40db4814481c
SHA512 fb8498ba35bfa0491789f3cb25a966f2ea3812ff11d9eb28e0c57636902e9900fa0fea04a1b42accda210ea249d30d44bf4c26b0a57efbf6e34e30339d0f9bd3

memory/2516-18-0x000000001AF00000-0x000000001AF16000-memory.dmp

memory/2516-20-0x0000000000540000-0x0000000000552000-memory.dmp

memory/2516-21-0x0000000000730000-0x0000000000738000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2040-29-0x0000000001220000-0x000000000122C000-memory.dmp

memory/2040-30-0x000007FEEEB70000-0x000007FEEF55C000-memory.dmp

memory/2040-31-0x000000001B2E0000-0x000000001B360000-memory.dmp

memory/2040-34-0x000007FEEEB70000-0x000007FEEF55C000-memory.dmp

memory/2572-36-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp

memory/2572-37-0x0000000019300000-0x0000000019380000-memory.dmp

C:\Windows\System32\Data\CheckUpdate.exe

MD5 fd8c295d75ffb1367e7f8248336fbdb7
SHA1 52c3aed0df6a5f9751db4436f6a23e718ad164d7
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
SHA512 c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0

memory/2552-47-0x0000000000B30000-0x0000000000C1C000-memory.dmp

memory/2516-49-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp

memory/2552-48-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp

memory/2552-50-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2552-51-0x0000000000360000-0x0000000000372000-memory.dmp

memory/2552-52-0x00000000004F0000-0x000000000053E000-memory.dmp

memory/2552-53-0x0000000000590000-0x00000000005A8000-memory.dmp

memory/1180-55-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp

memory/1180-56-0x000000001AE50000-0x000000001AED0000-memory.dmp

memory/2552-57-0x0000000000740000-0x0000000000750000-memory.dmp

memory/2552-58-0x000000001B200000-0x000000001B280000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1196-67-0x0000000001050000-0x0000000001058000-memory.dmp

memory/1196-68-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1196-70-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/528-71-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/528-77-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2572-78-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp

memory/2796-82-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2012-85-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2572-88-0x0000000019300000-0x0000000019380000-memory.dmp

memory/1468-89-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2552-91-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp

memory/3048-92-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1468-94-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1180-100-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp

memory/2552-101-0x000000001B200000-0x000000001B280000-memory.dmp

memory/3048-103-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/744-104-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2460-106-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/744-111-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2552-115-0x000000001B200000-0x000000001B280000-memory.dmp

memory/920-117-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2460-114-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1072-118-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/920-123-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1072-125-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2528-127-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2656-129-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2528-134-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2656-137-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1696-138-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2376-140-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1696-145-0x0000000074C70000-0x000000007535E000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 73dd8c4462afff81cd1a7221af7eb566
SHA1 0f0a7e4c588e5cb956b8a19010f7d3fc5b3299b7
SHA256 25bacd03d420dc9b4bb8e987f0295c11df71f21052f174b24be0f2778a513580
SHA512 74e14cec31dee1accf005707a0c1ff633b3bb678deb9f19588d8b32ccfc471ab6590120e0c23a27d21bef8582d1395d891162dcafefb6e5e8ece627191f9209f

memory/2376-147-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2812-148-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1664-149-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2812-150-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/1664-151-0x0000000074C70000-0x000000007535E000-memory.dmp

memory/2000-152-0x0000000074C70000-0x000000007535E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 08:30

Reported

2024-02-20 08:47

Platform

win10v2004-20231222-en

Max time kernel

600s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe.config C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WindowsInput.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4040 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4040 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 4300 wrote to memory of 3824 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4300 wrote to memory of 3824 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4040 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4040 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 4040 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 4040 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2736 wrote to memory of 3540 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 3540 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 3540 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3540 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 5048 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 5048 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 5048 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5048 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5048 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5048 wrote to memory of 228 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 4888 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 4888 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 4888 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 2216 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 4448 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 4448 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 4448 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4448 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4448 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4448 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 3480 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 3480 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 3480 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3480 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3480 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3480 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 3964 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 3964 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 3964 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 3964 wrote to memory of 2116 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3964 wrote to memory of 2116 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3964 wrote to memory of 2116 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 5060 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 5060 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 5060 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 5060 wrote to memory of 4544 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5060 wrote to memory of 4544 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5060 wrote to memory of 4544 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 2796 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2796 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 4944 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 4944 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 4944 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 4944 wrote to memory of 4832 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4944 wrote to memory of 4832 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4944 wrote to memory of 4832 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2736 wrote to memory of 1448 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe
PID 2736 wrote to memory of 1448 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Windows\SysWOW64\WerFault.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ahk.exe

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bgbaofgo.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E51.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\System32\Data\CheckUpdate.exe

"C:\Windows\System32\Data\CheckUpdate.exe"

C:\Windows\System32\Data\CheckUpdate.exe

C:\Windows\System32\Data\CheckUpdate.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 776

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4996 -ip 4996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1656 -ip 1656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2116 -ip 2116

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5048 -ip 5048

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4544 -ip 4544

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3044 -ip 3044

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1880 -ip 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4508 -ip 4508

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4720 -ip 4720

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1388 -ip 1388

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1844 -ip 1844

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3424 -ip 3424

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4048 -ip 4048

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4448 -ip 4448

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3232 -ip 3232

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2992 -ip 2992

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 464 -ip 464

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3760 -ip 3760

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2816 -ip 2816

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 788

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4040 -ip 4040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3480 -ip 3480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4456 -ip 4456

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2664 -ip 2664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4492 -ip 4492

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 720 -ip 720

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3984 -ip 3984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1644 -ip 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4888 -ip 4888

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1956 -ip 1956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3504 -ip 3504

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3264 -ip 3264

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4692 -ip 4692

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3956 -ip 3956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4832 -ip 4832

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1780 -ip 1780

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4448 -ip 4448

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 784

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4092 -ip 4092

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1616 -ip 1616

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3528 -ip 3528

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 776

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2168 -ip 2168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3696 -ip 3696

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1196 -ip 1196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1620 -ip 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4672 -ip 4672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1236 -ip 1236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 780

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 796 -ip 796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 792

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 792

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2796 -ip 2796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 100 -ip 100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 796

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5052 -ip 5052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 408 -ip 408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2340 -ip 2340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3616 -ip 3616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2336 -ip 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2760 -ip 2760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2056 -ip 2056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3984 -ip 3984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 788

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4908 -ip 4908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2640 -ip 2640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 812

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3256 -ip 3256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2796 -ip 2796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3212 -ip 3212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2056 -ip 2056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1944 -ip 1944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3332 -ip 3332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4812 -ip 4812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4632 -ip 4632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 316 -ip 316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2192 -ip 2192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1644 -ip 1644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2580 -ip 2580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4252 -ip 4252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2992 -ip 2992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 3512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 428 -ip 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 780

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2372 -ip 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2088 -ip 2088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3932 -ip 3932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3336 -ip 3336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2116 -ip 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1640 -ip 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3484 -ip 3484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1344 -ip 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4772 -ip 4772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1880 -ip 1880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2600 -ip 2600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2816 -ip 2816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3504 -ip 3504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 776

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3048 -ip 3048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 948 -ip 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1392 -ip 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2656 -ip 2656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2052 -ip 2052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2492 -ip 2492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 776

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2336 -ip 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4112 -ip 4112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 784

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4436 -ip 4436

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1048 -ip 1048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3704 -ip 3704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3220 -ip 3220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 528 -ip 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1888 -ip 1888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4872 -ip 4872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3788 -ip 3788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4188 -ip 4188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2056 -ip 2056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3680 -ip 3680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 784

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1684 -ip 1684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2036 -ip 2036

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3788 -ip 3788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2044 -ip 2044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1632 -ip 1632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2792 -ip 2792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2336 -ip 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2040 -ip 2040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4452 -ip 4452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3780 -ip 3780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4288 -ip 4288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 60 -ip 60

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3212 -ip 3212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 776

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 4904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2360 -ip 2360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1512 -ip 1512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 772

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5008 -ip 5008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 736 -ip 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4896 -ip 4896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1520 -ip 1520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1692 -ip 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3260 -ip 3260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2344 -ip 2344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3912 -ip 3912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3692 -ip 3692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4684 -ip 4684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3168 -ip 3168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1296 -ip 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2488 -ip 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4220 -ip 4220

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3760 -ip 3760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3260 -ip 3260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2728 -ip 2728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5072 -ip 5072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3584 -ip 3584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 768

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 764

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 20.231.121.79:80 tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp

Files

memory/4040-0-0x00007FFAE56B0000-0x00007FFAE6051000-memory.dmp

memory/4040-1-0x0000000001660000-0x0000000001670000-memory.dmp

memory/4040-2-0x000000001BC10000-0x000000001BC6C000-memory.dmp

memory/4040-5-0x000000001BDF0000-0x000000001BDFE000-memory.dmp

memory/4040-7-0x00007FFAE56B0000-0x00007FFAE6051000-memory.dmp

memory/4040-6-0x000000001C340000-0x000000001C80E000-memory.dmp

memory/4040-8-0x000000001C8B0000-0x000000001C94C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\bgbaofgo.cmdline

MD5 f4b52e189e2a2e4c5b09ad66f62442c8
SHA1 3938c9ecda7006d6b46c0bc6de7221d67f46fdd1
SHA256 5d71575b5aa0555172a2dff3c14f770ab44a53e94be88186e1dd0e92079f1ff2
SHA512 9a8829a5752da05347d3ef97fadf83bf30d370a4c24da8076b339e3967acc491d37271b95c7de04bb81ec7f5857adac975cdcafc8afd0d2def9d90d6a47d0bb2

\??\c:\Users\Admin\AppData\Local\Temp\bgbaofgo.0.cs

MD5 ea16d9f61d7255e32708d49f48aa534f
SHA1 b2305b9c224baf53ec7451810a238d1c7e37c36a
SHA256 a3cd3e1e0fe00b62b84135775e703e6cdf248cac1c52d2215a60f45bbf9b491b
SHA512 d02fe52d7084d5e2d1fa5cf9b96438ac41a0b57c73ccf7f899cd1d2495f6c8b5feaf6ccb3d44e2454a2be4a4261cae1a664aa390ac4857ea1cf62e4139094e0b

memory/4300-14-0x00000000024F0000-0x0000000002500000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC3E51.tmp

MD5 5f174057e9bd4e5239b4b6d2c7808fd5
SHA1 146198e7007d20355a6ca961ebf52846fcd3ddb8
SHA256 e766a0acbbfb0d47dc9054bee4306c11140f4cc5c9384b49a98703ec867970b7
SHA512 4fb3c904ab0f44b150ddbd227901c91d517544316d28c59be195c37644e0cef2f615099b1e096645498f9b7d111291ed8e49745a3604c716d0e8b8c8bf097594

C:\Users\Admin\AppData\Local\Temp\RES3E52.tmp

MD5 60e0d7b30f0d8d1858c18c752607c6f1
SHA1 81ffdfd666abfa3a332691b6a3c0561663d8e04e
SHA256 b291de9d7b11923830016acf5bb241af48f991d01ac1320699bc38e76c795977
SHA512 2207a7b40395915537c69450a3e703adbb6ee72aa8d29633f1421117dbc9cc8580096573af114c1632ab15c86b5a2e8d413062deb760e1a078976966c12186fd

memory/4040-22-0x000000001BE30000-0x000000001BE46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bgbaofgo.dll

MD5 f716e57873e70c24542aa260bf302668
SHA1 8f3e9f0b6b68410ad4278b7455830abe4c7bf0ce
SHA256 cc6a0b537a5d26d3aa2e45b45a1c5b6258bdec4e6a7f04410c314ce7443d04ff
SHA512 ba967f34b1bc0beaf0282a54e743226249520e138ed7294b704905c176b1789e2e255fb6dfb40074090c295b7443e89377daf2c72239df0f5a9a09c96fe1ed76

memory/4040-24-0x0000000001630000-0x0000000001642000-memory.dmp

memory/4040-25-0x0000000001610000-0x0000000001618000-memory.dmp

memory/4040-26-0x000000001C970000-0x000000001C990000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/3504-40-0x0000000000B30000-0x0000000000B3C000-memory.dmp

memory/3504-41-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/3504-42-0x000000001B820000-0x000000001B830000-memory.dmp

memory/3504-43-0x0000000002BD0000-0x0000000002BE2000-memory.dmp

memory/3504-44-0x0000000002C50000-0x0000000002C8C000-memory.dmp

memory/3504-48-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/4640-50-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/4640-51-0x0000000019F60000-0x0000000019F70000-memory.dmp

memory/4640-52-0x000000001A480000-0x000000001A58A000-memory.dmp

C:\Windows\System32\Data\CheckUpdate.exe

MD5 fd8c295d75ffb1367e7f8248336fbdb7
SHA1 52c3aed0df6a5f9751db4436f6a23e718ad164d7
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
SHA512 c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0

memory/2736-70-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/2736-72-0x000000001BB40000-0x000000001BB50000-memory.dmp

memory/2736-69-0x0000000000E00000-0x0000000000EEC000-memory.dmp

memory/4040-71-0x00007FFAE56B0000-0x00007FFAE6051000-memory.dmp

memory/2736-73-0x00000000016D0000-0x00000000016E2000-memory.dmp

memory/2736-74-0x000000001BA70000-0x000000001BABE000-memory.dmp

memory/2736-76-0x000000001BAF0000-0x000000001BB08000-memory.dmp

memory/4076-79-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/2736-78-0x000000001CDF0000-0x000000001CFB2000-memory.dmp

memory/2736-77-0x000000001BB20000-0x000000001BB30000-memory.dmp

memory/4076-80-0x000000001B180000-0x000000001B190000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/3540-94-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/3540-95-0x00000000743C0000-0x0000000074B70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/3540-99-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/1648-100-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/1648-101-0x00000000743C0000-0x0000000074B70000-memory.dmp

memory/5048-103-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/5048-105-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/228-106-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/228-107-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4640-109-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/4888-111-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4640-112-0x0000000019F60000-0x0000000019F70000-memory.dmp

memory/2216-113-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/2216-114-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4448-118-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4996-119-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/2736-116-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/4996-120-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4076-122-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/4076-125-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3480-123-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/1656-126-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/1656-127-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/2116-132-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/3964-131-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/3964-129-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/5060-135-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/5060-137-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/2116-133-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4544-138-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/4076-142-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp

memory/4544-140-0x0000000074460000-0x0000000074C10000-memory.dmp

memory/3608-1318-0x0000000076C30000-0x0000000076C48000-memory.dmp