It injects itself into (at least) every executable startup and every executable write to disk. It's quite noticeable if you have it installed and run, say, an installer that unpacks a lot of DLL files, because each one gets checksummed and the checksum sent to a remote host. Every time.

I hated it before this incident and I will be bringing this incident up every time it is mentioned.