Malware Analysis Report

2025-01-22 15:03

Sample ID 240220-kgsqbadh4y
Target ahk.exe
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
Tags
orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82

Threat Level: Known bad

The file ahk.exe was found to be: Known bad.

Malicious Activity Summary

orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus family

Orcus main payload

Orcurs Rat Executable

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 08:34

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 08:34

Reported

2024-02-20 08:39

Platform

win7-20231215-en

Max time kernel

46s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File opened for modification C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A
File created C:\Windows\System32\Data\CheckUpdate.exe.config C:\Users\Admin\AppData\Local\Temp\ahk.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\Data\CheckUpdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Data\CheckUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2084 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2788 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2788 wrote to memory of 2732 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2084 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2084 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2084 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2084 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\ahk.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2660 wrote to memory of 1940 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2660 wrote to memory of 1940 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 2660 wrote to memory of 1940 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\Data\CheckUpdate.exe
PID 696 wrote to memory of 1868 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 1868 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 1868 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 1868 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1868 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2548 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2548 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 696 wrote to memory of 2352 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 2352 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 2352 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 2352 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2352 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2352 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2352 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2352 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2972 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2972 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 696 wrote to memory of 812 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 812 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 812 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 812 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 812 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 812 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 812 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 812 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2448 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 696 wrote to memory of 1712 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 1712 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 1712 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 1712 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1712 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1712 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1712 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1712 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1864 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 1864 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\WerFault.exe
PID 696 wrote to memory of 1488 N/A C:\Windows\System32\Data\CheckUpdate.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ahk.exe

"C:\Users\Admin\AppData\Local\Temp\ahk.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvtue9hp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E07.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7DF6.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\System32\Data\CheckUpdate.exe

"C:\Windows\System32\Data\CheckUpdate.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {02C7D4DC-962B-4D7B-968F-B63F4C03F826} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Windows\System32\Data\CheckUpdate.exe

C:\Windows\System32\Data\CheckUpdate.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 560

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 540

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 540

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 528

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 540

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 528

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 556

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 552

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 552

Network

Country Destination Domain Proto
US 8.8.8.8:53 centre-shaped.gl.at.ply.gg udp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp
US 147.185.221.18:30014 centre-shaped.gl.at.ply.gg tcp

Files

memory/2084-0-0x000000001AE60000-0x000000001AEBC000-memory.dmp

memory/2084-1-0x0000000000490000-0x000000000049E000-memory.dmp

memory/2084-2-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2084-3-0x0000000000D10000-0x0000000000D90000-memory.dmp

memory/2084-4-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nvtue9hp.cmdline

MD5 cac23fc9ef371a0a974891f6b19f0e6c
SHA1 8c1f7daa5d3a20e9b635758a08f4d474c282a0c6
SHA256 884b1aac2ef2f89bcae47819bd57793eaac1abe4228d4101a15ecace58b03b95
SHA512 5fefb42db5537dcf568478a400c42891d0e5e2ef8240168c2e6f1d92858cfb089d5ded8bd870f44b438fce0b5410d88a4a3fe3f0d173688a8a253ebcdf077620

\??\c:\Users\Admin\AppData\Local\Temp\nvtue9hp.0.cs

MD5 2b14ae8b54d216abf4d228493ceca44a
SHA1 d134351498e4273e9d6391153e35416bc743adef
SHA256 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA512 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

\??\c:\Users\Admin\AppData\Local\Temp\CSC7DF6.tmp

MD5 a7cc03593e654d18af354eae48db2891
SHA1 666b1d68f683cb84ee46aa79277b7576fe173226
SHA256 f6ffe1184239437639741ca63fb1d5b2798dcd725ac5e04599730bb9fa335968
SHA512 01ce147d03fe3ca82e99aadb4ad442fd86664d4429d1d086ffb3fbfcf379f223e5f1ccb98cf2421773bc360b0760b53c7541aae5e16c7d6c0e63620eb5f76940

C:\Users\Admin\AppData\Local\Temp\RES7E07.tmp

MD5 3cca5a7bfffe31b92cdd77fefc146e17
SHA1 b9f5f2aeca8f5b83f7dbd068f6e9c2dba37e03e3
SHA256 6c8411dd058bcda2bdca5d06932d470979c6447fd8fd864e37fb8e4d31eebf40
SHA512 80d564ea5c14ed24625156dd9c7fbd886ab26643047e9b24c1480b145c8e5102938da98279f4434cab7229db3656235e68e50a7cefa06688fcb7476ce3b31254

C:\Users\Admin\AppData\Local\Temp\nvtue9hp.dll

MD5 a9f1ec2e7ac3e4485539fddef642bd55
SHA1 f617d28b27edf064e05a6878c8c8c50be3514233
SHA256 c4de7a79b3d6966a598567122bd6776decd9ada877e8a34fd8e11f805300e0e9
SHA512 46d6b015456687c546ecc4d62609cc359e0c63086a6fbfc69dae019efa4ac930e56b432627e8618902d2567cc18df15298b7afffb8943e59df7545be237420e8

memory/2084-17-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

memory/2084-19-0x00000000004D0000-0x00000000004E2000-memory.dmp

memory/2084-20-0x0000000000D00000-0x0000000000D08000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/2736-28-0x0000000000E10000-0x0000000000E1C000-memory.dmp

memory/2736-29-0x000007FEEEFB0000-0x000007FEEF99C000-memory.dmp

memory/2736-30-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2736-33-0x000007FEEEFB0000-0x000007FEEF99C000-memory.dmp

memory/3032-35-0x00000000001B0000-0x00000000001BC000-memory.dmp

memory/3032-36-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp

memory/2084-42-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

C:\Windows\System32\Data\CheckUpdate.exe

MD5 744416422094e85950f5d4db5de042fe
SHA1 34d8d9d29bc863397fb7fa690b1d6ab58162a15e
SHA256 8d58b98e05fc0494323d04313109a1e74c09e2502436fb64b92b3d30a69dd268
SHA512 cb48f527a7f668b6a617b2a8affb3ea8ca21c90c5ebfed51f923b7428556041eabd28a4dce66e9eb4add8da9470499e53c05ba27c0ab529f6b0383f09f6d2f67

C:\Windows\System32\Data\CheckUpdate.exe

MD5 11128df8dd6f3ef54345060a9366e5b4
SHA1 53400830451e3fcfb4f8eb52edd9499e8c4f52f5
SHA256 b500643797e8128a8a0b71223f5135f5314ba23a2ae01ea161666d59169fbec2
SHA512 60176122dd62a0b010de7cbcb0e6e9fbee53ff2f9f5ce144e902a172262c74b9d5c3807ba85159938e4cf37fae0f098130f1d0580a5c4aea0839450374353dec

memory/2084-47-0x0000000000D10000-0x0000000000D90000-memory.dmp

C:\Windows\System32\Data\CheckUpdate.exe

MD5 1745a324a75e71cce174e5bc846f48fa
SHA1 cde2a2ccd9ae5a7b8f782176e46063e085ccee01
SHA256 3696463a1b4b8ec09ce8d63d61a956508ce34b34107110ab81fe98ead31bce30
SHA512 997359a559ee05a5844de1cd7f787948235d8e5a1e8055cbad35208e97ffb93223f2bdf3470d86cb25a6b9fe5e8576a271a14858760fe7d33964021df2a7b0fb

memory/696-48-0x00000000011D0000-0x00000000012BC000-memory.dmp

memory/2084-50-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/696-49-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp

memory/696-51-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/696-52-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/696-53-0x0000000000D90000-0x0000000000DDE000-memory.dmp

memory/696-54-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

C:\Windows\System32\Data\CheckUpdate.exe

MD5 fd8c295d75ffb1367e7f8248336fbdb7
SHA1 52c3aed0df6a5f9751db4436f6a23e718ad164d7
SHA256 cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
SHA512 c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0

memory/696-56-0x0000000000E00000-0x0000000000E10000-memory.dmp

memory/1940-57-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp

memory/696-58-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/1940-59-0x0000000000310000-0x0000000000390000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/1868-68-0x0000000001340000-0x0000000001348000-memory.dmp

memory/1868-69-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/3032-71-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp

memory/2548-73-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1868-72-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2548-80-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2972-83-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2352-81-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2352-84-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1940-85-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp

memory/2972-92-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/696-93-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp

memory/812-95-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2448-96-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/696-97-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/812-98-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2448-106-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1712-105-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1712-108-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1864-109-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1864-115-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1488-117-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/696-120-0x000000001B0C0000-0x000000001B140000-memory.dmp

memory/1488-119-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1272-121-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1272-130-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2512-128-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1700-131-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2512-132-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1700-139-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2800-140-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2768-142-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2800-143-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2768-149-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2696-150-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2696-151-0x0000000074A50000-0x000000007513E000-memory.dmp

memory/2076-152-0x0000000074A50000-0x000000007513E000-memory.dmp