Analysis Overview
SHA256
cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
Threat Level: Known bad
The file ahk.exe was found to be: Known bad.
Malicious Activity Summary
Orcurs Rat Executable
Orcus family
Orcus
Orcus main payload
Orcurs Rat Executable
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops desktop.ini file(s)
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-20 08:30
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-20 08:30
Reported
2024-02-20 08:47
Platform
win7-20231215-en
Max time kernel
33s
Max time network
600s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Data\CheckUpdate.exe.config | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\System32\Data\CheckUpdate.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File opened for modification | C:\Windows\System32\Data\CheckUpdate.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ahk.exe
"C:\Users\Admin\AppData\Local\Temp\ahk.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gfrzg-o9.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4683.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4672.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\System32\Data\CheckUpdate.exe
"C:\Windows\System32\Data\CheckUpdate.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3F2487BB-231B-473A-9E7F-55F547EE45DD} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
C:\Windows\System32\Data\CheckUpdate.exe
C:\Windows\System32\Data\CheckUpdate.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 548
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 528
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 540
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 548
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 540
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 540
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 528
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 476 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2552 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2552 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 552
C:\Windows\System32\Data\CheckUpdate.exe
C:\Windows\System32\Data\CheckUpdate.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | centre-shaped.gl.at.ply.gg | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | centre-shaped.gl.at.ply.gg | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
Files
memory/2516-0-0x00000000021E0000-0x000000000223C000-memory.dmp
memory/2516-1-0x0000000000500000-0x000000000050E000-memory.dmp
memory/2516-2-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2516-3-0x0000000002060000-0x00000000020E0000-memory.dmp
memory/2516-4-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\gfrzg-o9.cmdline
| MD5 | 8236b522d94c68809178b3d9c895f5ba |
| SHA1 | 82b9029067110677ec7eafe0ca59649d00ad8346 |
| SHA256 | 69ebe1144a4e55d30ce3f744f92c4e6f1b95e0505d07a5abb33d1373e82c10b8 |
| SHA512 | 35aea35d018181b23961b9b3ac03d7b9c0bc27bcc9a77dfe0de715594fa07d206a11bdcc8534afd473911565b6ce4eff15b868373db3aee78935513feb57cb44 |
\??\c:\Users\Admin\AppData\Local\Temp\gfrzg-o9.0.cs
| MD5 | 250321226bbc2a616d91e1c82cb4ab2b |
| SHA1 | 7cffd0b2e9c842865d8961386ab8fcfac8d04173 |
| SHA256 | ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d |
| SHA512 | bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1 |
memory/2440-10-0x00000000007E0000-0x0000000000860000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC4672.tmp
| MD5 | 8a3f506dce6250cca4e5919648896b3b |
| SHA1 | 63964558373b36e6123a4273ac970541c97df54d |
| SHA256 | da17ee7cef93d473e567bec55809784c6f8c7cf64025a45fc259bc652e1187ec |
| SHA512 | 6aebe2410eac64c157680310f43cbc6f4231eab4773c2c478ccceaae39714d6c2f081363e0ec110341bbeea2e3c6a5af439422c082b9569cfac01f15e144501b |
C:\Users\Admin\AppData\Local\Temp\RES4683.tmp
| MD5 | 06f7e20f5d3d3ac5a3d5523957905c47 |
| SHA1 | 8036b14b64a2ae36ded6de9fe152cef7e5f7be4b |
| SHA256 | 7cb91aadc85b49486bc98f082335339d23c059b3b36cfc0aadd46d366298dad7 |
| SHA512 | 550ae6b0bae90ddb19fbac191c673d2f43ac036f3f563e72a7f59ac37975f1f831be9ac7134003b48a3e236d40d1911d28e5bd9b03b6311a520e16c0c681e2c6 |
C:\Users\Admin\AppData\Local\Temp\gfrzg-o9.dll
| MD5 | bacc610fd8491f03fe5cce8a73130cd8 |
| SHA1 | 731e7fe1b85f172531b01526de9d666d49a193e4 |
| SHA256 | 555a76ca41e7e6e8db15060c2d9e351c7bef95216a3f03dd6b0c40db4814481c |
| SHA512 | fb8498ba35bfa0491789f3cb25a966f2ea3812ff11d9eb28e0c57636902e9900fa0fea04a1b42accda210ea249d30d44bf4c26b0a57efbf6e34e30339d0f9bd3 |
memory/2516-18-0x000000001AF00000-0x000000001AF16000-memory.dmp
memory/2516-20-0x0000000000540000-0x0000000000552000-memory.dmp
memory/2516-21-0x0000000000730000-0x0000000000738000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2040-29-0x0000000001220000-0x000000000122C000-memory.dmp
memory/2040-30-0x000007FEEEB70000-0x000007FEEF55C000-memory.dmp
memory/2040-31-0x000000001B2E0000-0x000000001B360000-memory.dmp
memory/2040-34-0x000007FEEEB70000-0x000007FEEF55C000-memory.dmp
memory/2572-36-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp
memory/2572-37-0x0000000019300000-0x0000000019380000-memory.dmp
C:\Windows\System32\Data\CheckUpdate.exe
| MD5 | fd8c295d75ffb1367e7f8248336fbdb7 |
| SHA1 | 52c3aed0df6a5f9751db4436f6a23e718ad164d7 |
| SHA256 | cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82 |
| SHA512 | c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0 |
memory/2552-47-0x0000000000B30000-0x0000000000C1C000-memory.dmp
memory/2516-49-0x000007FEF5E60000-0x000007FEF67FD000-memory.dmp
memory/2552-48-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp
memory/2552-50-0x000000001B200000-0x000000001B280000-memory.dmp
memory/2552-51-0x0000000000360000-0x0000000000372000-memory.dmp
memory/2552-52-0x00000000004F0000-0x000000000053E000-memory.dmp
memory/2552-53-0x0000000000590000-0x00000000005A8000-memory.dmp
memory/1180-55-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp
memory/1180-56-0x000000001AE50000-0x000000001AED0000-memory.dmp
memory/2552-57-0x0000000000740000-0x0000000000750000-memory.dmp
memory/2552-58-0x000000001B200000-0x000000001B280000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/1196-67-0x0000000001050000-0x0000000001058000-memory.dmp
memory/1196-68-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1196-70-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/528-71-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/528-77-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2572-78-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp
memory/2796-82-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2012-85-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2572-88-0x0000000019300000-0x0000000019380000-memory.dmp
memory/1468-89-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2552-91-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp
memory/3048-92-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1468-94-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1180-100-0x000007FEEE180000-0x000007FEEEB6C000-memory.dmp
memory/2552-101-0x000000001B200000-0x000000001B280000-memory.dmp
memory/3048-103-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/744-104-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2460-106-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/744-111-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2552-115-0x000000001B200000-0x000000001B280000-memory.dmp
memory/920-117-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2460-114-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1072-118-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/920-123-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1072-125-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2528-127-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2656-129-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2528-134-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2656-137-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1696-138-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2376-140-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1696-145-0x0000000074C70000-0x000000007535E000-memory.dmp
\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 73dd8c4462afff81cd1a7221af7eb566 |
| SHA1 | 0f0a7e4c588e5cb956b8a19010f7d3fc5b3299b7 |
| SHA256 | 25bacd03d420dc9b4bb8e987f0295c11df71f21052f174b24be0f2778a513580 |
| SHA512 | 74e14cec31dee1accf005707a0c1ff633b3bb678deb9f19588d8b32ccfc471ab6590120e0c23a27d21bef8582d1395d891162dcafefb6e5e8ece627191f9209f |
memory/2376-147-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2812-148-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1664-149-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2812-150-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/1664-151-0x0000000074C70000-0x000000007535E000-memory.dmp
memory/2000-152-0x0000000074C70000-0x000000007535E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-20 08:30
Reported
2024-02-20 08:47
Platform
win10v2004-20231222-en
Max time kernel
600s
Max time network
602s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | N/A | N/A |
Executes dropped EXE
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Windows\System32\Data\CheckUpdate.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Data\CheckUpdate.exe | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Windows\System32\Data\CheckUpdate.exe.config | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ahk.exe
"C:\Users\Admin\AppData\Local\Temp\ahk.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bgbaofgo.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E52.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3E51.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\System32\Data\CheckUpdate.exe
"C:\Windows\System32\Data\CheckUpdate.exe"
C:\Windows\System32\Data\CheckUpdate.exe
C:\Windows\System32\Data\CheckUpdate.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 776
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 228 -ip 228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2216 -ip 2216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4996 -ip 4996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1656 -ip 1656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2116 -ip 2116
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4544 -ip 4544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4832 -ip 4832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5048 -ip 5048
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 544 -ip 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4544 -ip 4544
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3044 -ip 3044
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1880 -ip 1880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4508 -ip 4508
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 968 -ip 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4720 -ip 4720
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1388 -ip 1388
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1844 -ip 1844
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3424 -ip 3424
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4048 -ip 4048
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4448 -ip 4448
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1956 -ip 1956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3232 -ip 3232
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3820 -ip 3820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2992 -ip 2992
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 464 -ip 464
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3760 -ip 3760
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2816 -ip 2816
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 788
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4040 -ip 4040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4456 -ip 4456
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2664 -ip 2664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4492 -ip 4492
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 720 -ip 720
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 392 -ip 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3984 -ip 3984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4888 -ip 4888
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1956 -ip 1956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 776
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3504 -ip 3504
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3264 -ip 3264
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4692 -ip 4692
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3956 -ip 3956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4832 -ip 4832
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 1780 -ip 1780
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4448 -ip 4448
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3600 -ip 3600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 784
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4092 -ip 4092
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1424 -ip 1424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1616 -ip 1616
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3528 -ip 3528
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 776
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2168 -ip 2168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3696 -ip 3696
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3400 -ip 3400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4960 -ip 4960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1196 -ip 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3944 -ip 3944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4668 -ip 4668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1620 -ip 1620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3456 -ip 3456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4672 -ip 4672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1236 -ip 1236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4440 -ip 4440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 780
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 796 -ip 796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4560 -ip 4560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 792
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 792
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3824 -ip 3824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 100 -ip 100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 796
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5004 -ip 5004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4216 -ip 4216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5052 -ip 5052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 408 -ip 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2340 -ip 2340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4120 -ip 4120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2056 -ip 2056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3984 -ip 3984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 788
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4908 -ip 4908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1088 -ip 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2640 -ip 2640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4772 -ip 4772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3944 -ip 3944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5060 -ip 5060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 812
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3256 -ip 3256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2796 -ip 2796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3212 -ip 3212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2056 -ip 2056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1944 -ip 1944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4120 -ip 4120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1160 -ip 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3332 -ip 3332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4812 -ip 4812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4632 -ip 4632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1632 -ip 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3456 -ip 3456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2192 -ip 2192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1644 -ip 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4852 -ip 4852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2580 -ip 2580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4252 -ip 4252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 544 -ip 544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2992 -ip 2992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3512 -ip 3512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 428 -ip 428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 780
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2088 -ip 2088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3932 -ip 3932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3336 -ip 3336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1780 -ip 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2116 -ip 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1640 -ip 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3484 -ip 3484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4520 -ip 4520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1344 -ip 1344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4772 -ip 4772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4912 -ip 4912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1880 -ip 1880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4456 -ip 4456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2600 -ip 2600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2816 -ip 2816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3504 -ip 3504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 60 -ip 60
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4612 -ip 4612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 776
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1164 -ip 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3048 -ip 3048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3344 -ip 3344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 948 -ip 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1392 -ip 1392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4832 -ip 4832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4680 -ip 4680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2656 -ip 2656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2052 -ip 2052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2492 -ip 2492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 776
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3972 -ip 3972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4808 -ip 4808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4112 -ip 4112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 784
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4436 -ip 4436
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1048 -ip 1048
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3704 -ip 3704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3176 -ip 3176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3220 -ip 3220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3220 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4924 -ip 4924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5080 -ip 5080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3240 -ip 3240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1888 -ip 1888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4872 -ip 4872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3788 -ip 3788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3824 -ip 3824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4188 -ip 4188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2056 -ip 2056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4792 -ip 4792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3680 -ip 3680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 784
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4380 -ip 4380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1684 -ip 1684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2036 -ip 2036
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3788 -ip 3788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2044 -ip 2044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1632 -ip 1632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2792 -ip 2792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2040 -ip 2040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4452 -ip 4452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3872 -ip 3872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3780 -ip 3780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4288 -ip 4288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 60 -ip 60
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3212 -ip 3212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2568 -ip 2568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 776
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4904 -ip 4904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2516 -ip 2516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2360 -ip 2360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1512 -ip 1512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 772
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4852 -ip 4852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 736 -ip 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4896 -ip 4896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1520 -ip 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 968 -ip 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3896 -ip 3896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3104 -ip 3104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4428 -ip 4428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1692 -ip 1692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3260 -ip 3260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2344 -ip 2344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3912 -ip 3912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3692 -ip 3692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4684 -ip 4684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3168 -ip 3168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3896 -ip 3896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1296 -ip 1296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2488 -ip 2488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4220 -ip 4220
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3760 -ip 3760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3260 -ip 3260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2728 -ip 2728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5072 -ip 5072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 768
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 2736 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 764
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 2736 /protectFile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | centre-shaped.gl.at.ply.gg | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | centre-shaped.gl.at.ply.gg | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
Files
memory/4040-0-0x00007FFAE56B0000-0x00007FFAE6051000-memory.dmp
memory/4040-1-0x0000000001660000-0x0000000001670000-memory.dmp
memory/4040-2-0x000000001BC10000-0x000000001BC6C000-memory.dmp
memory/4040-5-0x000000001BDF0000-0x000000001BDFE000-memory.dmp
memory/4040-7-0x00007FFAE56B0000-0x00007FFAE6051000-memory.dmp
memory/4040-6-0x000000001C340000-0x000000001C80E000-memory.dmp
memory/4040-8-0x000000001C8B0000-0x000000001C94C000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\bgbaofgo.cmdline
| MD5 | f4b52e189e2a2e4c5b09ad66f62442c8 |
| SHA1 | 3938c9ecda7006d6b46c0bc6de7221d67f46fdd1 |
| SHA256 | 5d71575b5aa0555172a2dff3c14f770ab44a53e94be88186e1dd0e92079f1ff2 |
| SHA512 | 9a8829a5752da05347d3ef97fadf83bf30d370a4c24da8076b339e3967acc491d37271b95c7de04bb81ec7f5857adac975cdcafc8afd0d2def9d90d6a47d0bb2 |
\??\c:\Users\Admin\AppData\Local\Temp\bgbaofgo.0.cs
| MD5 | ea16d9f61d7255e32708d49f48aa534f |
| SHA1 | b2305b9c224baf53ec7451810a238d1c7e37c36a |
| SHA256 | a3cd3e1e0fe00b62b84135775e703e6cdf248cac1c52d2215a60f45bbf9b491b |
| SHA512 | d02fe52d7084d5e2d1fa5cf9b96438ac41a0b57c73ccf7f899cd1d2495f6c8b5feaf6ccb3d44e2454a2be4a4261cae1a664aa390ac4857ea1cf62e4139094e0b |
memory/4300-14-0x00000000024F0000-0x0000000002500000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSC3E51.tmp
| MD5 | 5f174057e9bd4e5239b4b6d2c7808fd5 |
| SHA1 | 146198e7007d20355a6ca961ebf52846fcd3ddb8 |
| SHA256 | e766a0acbbfb0d47dc9054bee4306c11140f4cc5c9384b49a98703ec867970b7 |
| SHA512 | 4fb3c904ab0f44b150ddbd227901c91d517544316d28c59be195c37644e0cef2f615099b1e096645498f9b7d111291ed8e49745a3604c716d0e8b8c8bf097594 |
C:\Users\Admin\AppData\Local\Temp\RES3E52.tmp
| MD5 | 60e0d7b30f0d8d1858c18c752607c6f1 |
| SHA1 | 81ffdfd666abfa3a332691b6a3c0561663d8e04e |
| SHA256 | b291de9d7b11923830016acf5bb241af48f991d01ac1320699bc38e76c795977 |
| SHA512 | 2207a7b40395915537c69450a3e703adbb6ee72aa8d29633f1421117dbc9cc8580096573af114c1632ab15c86b5a2e8d413062deb760e1a078976966c12186fd |
memory/4040-22-0x000000001BE30000-0x000000001BE46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bgbaofgo.dll
| MD5 | f716e57873e70c24542aa260bf302668 |
| SHA1 | 8f3e9f0b6b68410ad4278b7455830abe4c7bf0ce |
| SHA256 | cc6a0b537a5d26d3aa2e45b45a1c5b6258bdec4e6a7f04410c314ce7443d04ff |
| SHA512 | ba967f34b1bc0beaf0282a54e743226249520e138ed7294b704905c176b1789e2e255fb6dfb40074090c295b7443e89377daf2c72239df0f5a9a09c96fe1ed76 |
memory/4040-24-0x0000000001630000-0x0000000001642000-memory.dmp
memory/4040-25-0x0000000001610000-0x0000000001618000-memory.dmp
memory/4040-26-0x000000001C970000-0x000000001C990000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/3504-40-0x0000000000B30000-0x0000000000B3C000-memory.dmp
memory/3504-41-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/3504-42-0x000000001B820000-0x000000001B830000-memory.dmp
memory/3504-43-0x0000000002BD0000-0x0000000002BE2000-memory.dmp
memory/3504-44-0x0000000002C50000-0x0000000002C8C000-memory.dmp
memory/3504-48-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/4640-50-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/4640-51-0x0000000019F60000-0x0000000019F70000-memory.dmp
memory/4640-52-0x000000001A480000-0x000000001A58A000-memory.dmp
C:\Windows\System32\Data\CheckUpdate.exe
| MD5 | fd8c295d75ffb1367e7f8248336fbdb7 |
| SHA1 | 52c3aed0df6a5f9751db4436f6a23e718ad164d7 |
| SHA256 | cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82 |
| SHA512 | c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0 |
memory/2736-70-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/2736-72-0x000000001BB40000-0x000000001BB50000-memory.dmp
memory/2736-69-0x0000000000E00000-0x0000000000EEC000-memory.dmp
memory/4040-71-0x00007FFAE56B0000-0x00007FFAE6051000-memory.dmp
memory/2736-73-0x00000000016D0000-0x00000000016E2000-memory.dmp
memory/2736-74-0x000000001BA70000-0x000000001BABE000-memory.dmp
memory/2736-76-0x000000001BAF0000-0x000000001BB08000-memory.dmp
memory/4076-79-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/2736-78-0x000000001CDF0000-0x000000001CFB2000-memory.dmp
memory/2736-77-0x000000001BB20000-0x000000001BB30000-memory.dmp
memory/4076-80-0x000000001B180000-0x000000001B190000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/3540-94-0x00000000004F0000-0x00000000004F8000-memory.dmp
memory/3540-95-0x00000000743C0000-0x0000000074B70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |
memory/3540-99-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/1648-100-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/1648-101-0x00000000743C0000-0x0000000074B70000-memory.dmp
memory/5048-103-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/5048-105-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/228-106-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/228-107-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4640-109-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/4888-111-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4640-112-0x0000000019F60000-0x0000000019F70000-memory.dmp
memory/2216-113-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/2216-114-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4448-118-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4996-119-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/2736-116-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/4996-120-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4076-122-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/4076-125-0x000000001B180000-0x000000001B190000-memory.dmp
memory/3480-123-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/1656-126-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/1656-127-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/2116-132-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/3964-131-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/3964-129-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/5060-135-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/5060-137-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/2116-133-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4544-138-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/4076-142-0x00007FFAE2F80000-0x00007FFAE3A41000-memory.dmp
memory/4544-140-0x0000000074460000-0x0000000074C10000-memory.dmp
memory/3608-1318-0x0000000076C30000-0x0000000076C48000-memory.dmp