Analysis Overview
SHA256
cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82
Threat Level: Known bad
The file ahk.exe was found to be: Known bad.
Malicious Activity Summary
Orcus
Orcurs Rat Executable
Orcus family
Orcus main payload
Orcurs Rat Executable
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-20 08:34
Signatures
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcus family
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-20 08:34
Reported
2024-02-20 08:39
Platform
win7-20231215-en
Max time kernel
46s
Max time network
116s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| File created | C:\Windows\System32\Data\CheckUpdate.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File opened for modification | C:\Windows\System32\Data\CheckUpdate.exe | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
| File created | C:\Windows\System32\Data\CheckUpdate.exe.config | C:\Users\Admin\AppData\Local\Temp\ahk.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Data\CheckUpdate.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ahk.exe
"C:\Users\Admin\AppData\Local\Temp\ahk.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvtue9hp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E07.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7DF6.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\Windows\System32\Data\CheckUpdate.exe
"C:\Windows\System32\Data\CheckUpdate.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {02C7D4DC-962B-4D7B-968F-B63F4C03F826} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Windows\System32\Data\CheckUpdate.exe
C:\Windows\System32\Data\CheckUpdate.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 560
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 540
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 540
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 528
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 540
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 528
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3092 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 556
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 552
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\Windows\System32\Data\CheckUpdate.exe" 696 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\Windows\System32\Data\CheckUpdate.exe" 696 "/protectFile"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 552
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | centre-shaped.gl.at.ply.gg | udp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
| US | 147.185.221.18:30014 | centre-shaped.gl.at.ply.gg | tcp |
Files
memory/2084-0-0x000000001AE60000-0x000000001AEBC000-memory.dmp
memory/2084-1-0x0000000000490000-0x000000000049E000-memory.dmp
memory/2084-2-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/2084-3-0x0000000000D10000-0x0000000000D90000-memory.dmp
memory/2084-4-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\nvtue9hp.cmdline
| MD5 | cac23fc9ef371a0a974891f6b19f0e6c |
| SHA1 | 8c1f7daa5d3a20e9b635758a08f4d474c282a0c6 |
| SHA256 | 884b1aac2ef2f89bcae47819bd57793eaac1abe4228d4101a15ecace58b03b95 |
| SHA512 | 5fefb42db5537dcf568478a400c42891d0e5e2ef8240168c2e6f1d92858cfb089d5ded8bd870f44b438fce0b5410d88a4a3fe3f0d173688a8a253ebcdf077620 |
\??\c:\Users\Admin\AppData\Local\Temp\nvtue9hp.0.cs
| MD5 | 2b14ae8b54d216abf4d228493ceca44a |
| SHA1 | d134351498e4273e9d6391153e35416bc743adef |
| SHA256 | 4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c |
| SHA512 | 5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC7DF6.tmp
| MD5 | a7cc03593e654d18af354eae48db2891 |
| SHA1 | 666b1d68f683cb84ee46aa79277b7576fe173226 |
| SHA256 | f6ffe1184239437639741ca63fb1d5b2798dcd725ac5e04599730bb9fa335968 |
| SHA512 | 01ce147d03fe3ca82e99aadb4ad442fd86664d4429d1d086ffb3fbfcf379f223e5f1ccb98cf2421773bc360b0760b53c7541aae5e16c7d6c0e63620eb5f76940 |
C:\Users\Admin\AppData\Local\Temp\RES7E07.tmp
| MD5 | 3cca5a7bfffe31b92cdd77fefc146e17 |
| SHA1 | b9f5f2aeca8f5b83f7dbd068f6e9c2dba37e03e3 |
| SHA256 | 6c8411dd058bcda2bdca5d06932d470979c6447fd8fd864e37fb8e4d31eebf40 |
| SHA512 | 80d564ea5c14ed24625156dd9c7fbd886ab26643047e9b24c1480b145c8e5102938da98279f4434cab7229db3656235e68e50a7cefa06688fcb7476ce3b31254 |
C:\Users\Admin\AppData\Local\Temp\nvtue9hp.dll
| MD5 | a9f1ec2e7ac3e4485539fddef642bd55 |
| SHA1 | f617d28b27edf064e05a6878c8c8c50be3514233 |
| SHA256 | c4de7a79b3d6966a598567122bd6776decd9ada877e8a34fd8e11f805300e0e9 |
| SHA512 | 46d6b015456687c546ecc4d62609cc359e0c63086a6fbfc69dae019efa4ac930e56b432627e8618902d2567cc18df15298b7afffb8943e59df7545be237420e8 |
memory/2084-17-0x0000000000FB0000-0x0000000000FC6000-memory.dmp
memory/2084-19-0x00000000004D0000-0x00000000004E2000-memory.dmp
memory/2084-20-0x0000000000D00000-0x0000000000D08000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
memory/2736-28-0x0000000000E10000-0x0000000000E1C000-memory.dmp
memory/2736-29-0x000007FEEEFB0000-0x000007FEEF99C000-memory.dmp
memory/2736-30-0x000000001B200000-0x000000001B280000-memory.dmp
memory/2736-33-0x000007FEEEFB0000-0x000007FEEF99C000-memory.dmp
memory/3032-35-0x00000000001B0000-0x00000000001BC000-memory.dmp
memory/3032-36-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp
memory/2084-42-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
C:\Windows\System32\Data\CheckUpdate.exe
| MD5 | 744416422094e85950f5d4db5de042fe |
| SHA1 | 34d8d9d29bc863397fb7fa690b1d6ab58162a15e |
| SHA256 | 8d58b98e05fc0494323d04313109a1e74c09e2502436fb64b92b3d30a69dd268 |
| SHA512 | cb48f527a7f668b6a617b2a8affb3ea8ca21c90c5ebfed51f923b7428556041eabd28a4dce66e9eb4add8da9470499e53c05ba27c0ab529f6b0383f09f6d2f67 |
C:\Windows\System32\Data\CheckUpdate.exe
| MD5 | 11128df8dd6f3ef54345060a9366e5b4 |
| SHA1 | 53400830451e3fcfb4f8eb52edd9499e8c4f52f5 |
| SHA256 | b500643797e8128a8a0b71223f5135f5314ba23a2ae01ea161666d59169fbec2 |
| SHA512 | 60176122dd62a0b010de7cbcb0e6e9fbee53ff2f9f5ce144e902a172262c74b9d5c3807ba85159938e4cf37fae0f098130f1d0580a5c4aea0839450374353dec |
memory/2084-47-0x0000000000D10000-0x0000000000D90000-memory.dmp
C:\Windows\System32\Data\CheckUpdate.exe
| MD5 | 1745a324a75e71cce174e5bc846f48fa |
| SHA1 | cde2a2ccd9ae5a7b8f782176e46063e085ccee01 |
| SHA256 | 3696463a1b4b8ec09ce8d63d61a956508ce34b34107110ab81fe98ead31bce30 |
| SHA512 | 997359a559ee05a5844de1cd7f787948235d8e5a1e8055cbad35208e97ffb93223f2bdf3470d86cb25a6b9fe5e8576a271a14858760fe7d33964021df2a7b0fb |
memory/696-48-0x00000000011D0000-0x00000000012BC000-memory.dmp
memory/2084-50-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp
memory/696-49-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp
memory/696-51-0x000000001B0C0000-0x000000001B140000-memory.dmp
memory/696-52-0x0000000000590000-0x00000000005A2000-memory.dmp
memory/696-53-0x0000000000D90000-0x0000000000DDE000-memory.dmp
memory/696-54-0x0000000000DE0000-0x0000000000DF8000-memory.dmp
C:\Windows\System32\Data\CheckUpdate.exe
| MD5 | fd8c295d75ffb1367e7f8248336fbdb7 |
| SHA1 | 52c3aed0df6a5f9751db4436f6a23e718ad164d7 |
| SHA256 | cd6f3e3f4236416da3ab4d081e566e0be35eba76ea23dff0e1bc48e7ea306c82 |
| SHA512 | c27eddce59609f602a8b0d2fff0fadbc3a9837093351048b7bf3d3a9a3a668eb02e9ec63513866b4d76db088472efe03947f4f71c72539daf1488de38dbc26e0 |
memory/696-56-0x0000000000E00000-0x0000000000E10000-memory.dmp
memory/1940-57-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp
memory/696-58-0x000000001B0C0000-0x000000001B140000-memory.dmp
memory/1940-59-0x0000000000310000-0x0000000000390000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/1868-68-0x0000000001340000-0x0000000001348000-memory.dmp
memory/1868-69-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/3032-71-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp
memory/2548-73-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1868-72-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2548-80-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2972-83-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2352-81-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2352-84-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1940-85-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp
memory/2972-92-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/696-93-0x000007FEEE5C0000-0x000007FEEEFAC000-memory.dmp
memory/812-95-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2448-96-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/696-97-0x000000001B0C0000-0x000000001B140000-memory.dmp
memory/812-98-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2448-106-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1712-105-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1712-108-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1864-109-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1864-115-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1488-117-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/696-120-0x000000001B0C0000-0x000000001B140000-memory.dmp
memory/1488-119-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1272-121-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1272-130-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2512-128-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1700-131-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2512-132-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/1700-139-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2800-140-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2768-142-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2800-143-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2768-149-0x0000000074AD0000-0x00000000751BE000-memory.dmp
memory/2696-150-0x0000000074A50000-0x000000007513E000-memory.dmp
memory/2696-151-0x0000000074A50000-0x000000007513E000-memory.dmp
memory/2076-152-0x0000000074A50000-0x000000007513E000-memory.dmp