7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a

Analysis

max time kernel
82s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/10/2022, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
Size

72KB
MD5

102081c2c274d5d251ed3b25766b7bb5
SHA1

9e5ac43117264a5db33def780fa5cc5cf95df922
SHA256

7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a
SHA512

2f6521131edd81111741d104a256921d1da0aa8b6247a62aa15952e40d775ba1ec5763d4c2a948cee82bf37b35e4d7fe7ac78345764416638d9ca326ff83eccf
SSDEEP

768:rpQNwC3BEc4QEfu0Ei8XxNDINE3BEJwRr3k8PV:teThavEjDWguKUW

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
940	backup.exe
1160	backup.exe
676	backup.exe
560	backup.exe
1668	backup.exe
1752	backup.exe
624	backup.exe
1148	backup.exe
1468	backup.exe
1996	System Restore.exe
1964	backup.exe
1604	backup.exe
1648	backup.exe
1564	backup.exe
812	data.exe
1120	backup.exe
840	backup.exe
1680	data.exe
976	backup.exe
2028	backup.exe
580	backup.exe
112	backup.exe
1672	backup.exe
696	backup.exe
2044	backup.exe
1196	backup.exe
1572	backup.exe
1576	update.exe
1152	backup.exe
1260	backup.exe
1556	System Restore.exe
2000	backup.exe
1092	backup.exe
1956	backup.exe
616	backup.exe
1460	backup.exe
464	backup.exe
1648	backup.exe
1520	backup.exe
1504	backup.exe
904	backup.exe
1104	backup.exe
1120	backup.exe
988	backup.exe
1124	backup.exe
1680	backup.exe
1880	backup.exe
1720	backup.exe
764	backup.exe
1764	backup.exe
336	backup.exe
572	backup.exe
1592	backup.exe
624	backup.exe
1584	backup.exe
944	backup.exe
1476	backup.exe
964	System Restore.exe
1920	backup.exe
2004	backup.exe
1468	backup.exe
664	backup.exe
1916	backup.exe
860	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
1148	backup.exe
1148	backup.exe
1468	backup.exe
1468	backup.exe
1148	backup.exe
1148	backup.exe
1964	backup.exe
1964	backup.exe
1604	backup.exe
1604	backup.exe
1964	backup.exe
1964	backup.exe
1564	backup.exe
1564	backup.exe
812	data.exe
812	data.exe
812	data.exe
812	data.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
840	backup.exe
1576	update.exe
1576	update.exe
1576	update.exe
840	backup.exe
840	backup.exe
1152	backup.exe
1152	backup.exe
1152	backup.exe
1152	backup.exe
1152	backup.exe
1152	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\de-DE\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe	backup.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\backup.exe	backup.exe
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\AppPatch64\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
940	backup.exe
1160	backup.exe
676	backup.exe
560	backup.exe
1668	backup.exe
1752	backup.exe
624	backup.exe
1148	backup.exe
1468	backup.exe
1996	System Restore.exe
1964	backup.exe
1604	backup.exe
1648	backup.exe
1564	backup.exe
812	data.exe
1120	backup.exe
840	backup.exe
1680	data.exe
976	backup.exe
2028	backup.exe
580	backup.exe
112	backup.exe
1672	backup.exe
696	backup.exe
2044	backup.exe
1196	backup.exe
1572	backup.exe
1576	update.exe
1152	backup.exe
1260	backup.exe
1556	System Restore.exe
2000	backup.exe
1092	backup.exe
1956	backup.exe
616	backup.exe
1460	backup.exe
464	backup.exe
1648	backup.exe
1520	backup.exe
1504	backup.exe
904	backup.exe
1104	backup.exe
1120	backup.exe
988	backup.exe
1124	backup.exe
1680	backup.exe
1880	backup.exe
1720	backup.exe
764	backup.exe
1764	backup.exe
336	backup.exe
572	backup.exe
1592	backup.exe
624	backup.exe
1584	backup.exe
944	backup.exe
1476	backup.exe
964	System Restore.exe
1920	backup.exe
2004	backup.exe
1468	backup.exe
664	backup.exe
1916	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 940	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	27
PID 2024 wrote to memory of 940	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	27
PID 2024 wrote to memory of 940	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	27
PID 2024 wrote to memory of 940	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	27
PID 2024 wrote to memory of 1160	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	28
PID 2024 wrote to memory of 1160	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	28
PID 2024 wrote to memory of 1160	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	28
PID 2024 wrote to memory of 1160	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	28
PID 2024 wrote to memory of 676	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	29
PID 2024 wrote to memory of 676	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	29
PID 2024 wrote to memory of 676	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	29
PID 2024 wrote to memory of 676	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	29
PID 2024 wrote to memory of 560	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	30
PID 2024 wrote to memory of 560	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	30
PID 2024 wrote to memory of 560	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	30
PID 2024 wrote to memory of 560	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	30
PID 2024 wrote to memory of 1668	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	31
PID 2024 wrote to memory of 1668	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	31
PID 2024 wrote to memory of 1668	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	31
PID 2024 wrote to memory of 1668	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	31
PID 2024 wrote to memory of 1752	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	32
PID 2024 wrote to memory of 1752	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	32
PID 2024 wrote to memory of 1752	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	32
PID 2024 wrote to memory of 1752	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	32
PID 2024 wrote to memory of 624	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	33
PID 2024 wrote to memory of 624	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	33
PID 2024 wrote to memory of 624	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	33
PID 2024 wrote to memory of 624	2024	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe	33
PID 940 wrote to memory of 1148	940	backup.exe	34
PID 940 wrote to memory of 1148	940	backup.exe	34
PID 940 wrote to memory of 1148	940	backup.exe	34
PID 940 wrote to memory of 1148	940	backup.exe	34
PID 1148 wrote to memory of 1468	1148	backup.exe	35
PID 1148 wrote to memory of 1468	1148	backup.exe	35
PID 1148 wrote to memory of 1468	1148	backup.exe	35
PID 1148 wrote to memory of 1468	1148	backup.exe	35
PID 1468 wrote to memory of 1996	1468	backup.exe	36
PID 1468 wrote to memory of 1996	1468	backup.exe	36
PID 1468 wrote to memory of 1996	1468	backup.exe	36
PID 1468 wrote to memory of 1996	1468	backup.exe	36
PID 1148 wrote to memory of 1964	1148	backup.exe	37
PID 1148 wrote to memory of 1964	1148	backup.exe	37
PID 1148 wrote to memory of 1964	1148	backup.exe	37
PID 1148 wrote to memory of 1964	1148	backup.exe	37
PID 1964 wrote to memory of 1604	1964	backup.exe	38
PID 1964 wrote to memory of 1604	1964	backup.exe	38
PID 1964 wrote to memory of 1604	1964	backup.exe	38
PID 1964 wrote to memory of 1604	1964	backup.exe	38
PID 1604 wrote to memory of 1648	1604	backup.exe	39
PID 1604 wrote to memory of 1648	1604	backup.exe	39
PID 1604 wrote to memory of 1648	1604	backup.exe	39
PID 1604 wrote to memory of 1648	1604	backup.exe	39
PID 1964 wrote to memory of 1564	1964	backup.exe	40
PID 1964 wrote to memory of 1564	1964	backup.exe	40
PID 1964 wrote to memory of 1564	1964	backup.exe	40
PID 1964 wrote to memory of 1564	1964	backup.exe	40
PID 1564 wrote to memory of 812	1564	backup.exe	41
PID 1564 wrote to memory of 812	1564	backup.exe	41
PID 1564 wrote to memory of 812	1564	backup.exe	41
PID 1564 wrote to memory of 812	1564	backup.exe	41
PID 812 wrote to memory of 1120	812	data.exe	42
PID 812 wrote to memory of 1120	812	data.exe	42
PID 812 wrote to memory of 1120	812	data.exe	42
PID 812 wrote to memory of 1120	812	data.exe	42

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe
"C:\Users\Admin\AppData\Local\Temp\7d0fb76b0c0b5bbd0741b91fa1020f27395dd7ca40443c4a9379f1cbc5b13d7a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2024
- C:\Users\Admin\AppData\Local\Temp\2321522944\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2321522944\backup.exe C:\Users\Admin\AppData\Local\Temp\2321522944\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\PerfLogs\Admin\System Restore.exe
        
        "C:\PerfLogs\Admin\System Restore.exe" C:\PerfLogs\Admin\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1996
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1648
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Program Files\Common Files\Microsoft Shared\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:840
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2028
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:112
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1196
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1260
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1092
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1460
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:464
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:988
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1764
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1592
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:964
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1468
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:664
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:1704
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:1648
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:1664
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1504
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        
        PID:1832
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1464
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:1120
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:644
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        System policy modification
        
        PID:1880
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:820
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1800
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        
        PID:1316
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:2044
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:1324
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1548
        
        C:\Program Files\Common Files\Microsoft Shared\VC\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\update.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1584
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:944
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\update.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:1016
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        System policy modification
        
        PID:1924
      - C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:1040
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:1092
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1692
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1296
        
        C:\Program Files\Common Files\System\ado\data.exe
        
        "C:\Program Files\Common Files\System\ado\data.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        
        PID:1916
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1836
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:972
        
        C:\Program Files\Common Files\System\ado\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\System Restore.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1952
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:596
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        System policy modification
        
        PID:740
        
        C:\Program Files\Common Files\System\ado\ja-JP\update.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\update.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1068
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:860
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1184
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:1464
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1112
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1960
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1552
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:456
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:520
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1768
        
        C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        
        PID:764
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:580
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:1144
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:1672
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:1448
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:1792
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1592
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:1528
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1980
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:112
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        Drops file in Program Files directory
        
        PID:1612
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        
        PID:1260
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:1920
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:1016
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        
        PID:1620
      - C:\Program Files\DVD Maker\ja-JP\update.exe
        
        "C:\Program Files\DVD Maker\ja-JP\update.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1996
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        
        PID:884
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1092
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1632
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:844
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:268
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1152
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:432
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        
        PID:1628
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1048
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:1068
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        
        PID:1084
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:980
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:1960
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:320
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        System policy modification
        
        PID:1080
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        System policy modification
        
        PID:992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:1752
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\data.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:1452
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1572
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:820
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:2000
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:812
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1996
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:1056
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\
        8⤵
        Drops file in Program Files directory
        
        PID:1816
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1520
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\
        9⤵
        
        PID:1164
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\
        9⤵
        
        PID:1116
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\
        9⤵
        
        PID:1120
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\
        9⤵
        
        PID:1960
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\
        9⤵
        
        PID:320
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\
        9⤵
        System policy modification
        
        PID:1080
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\
        9⤵
        
        PID:1316
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\
        10⤵
        
        PID:1196
        
        C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\
        11⤵
        
        PID:1980
        
        C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\Dictionaries\backup.exe" C:\Program Files\Google\Chrome\Application\Dictionaries\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1564
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:304
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        
        PID:1920
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:884
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1976
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
      - C:\Program Files\Internet Explorer\fr-FR\System Restore.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:596
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:1520
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        
        PID:1200
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        System policy modification
        
        PID:1112
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:520
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        
        PID:1144
        
        C:\Program Files\Java\jdk1.7.0_80\bin\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\update.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:580
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2044
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        
        PID:1792
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:1980
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:112
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\data.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        
        PID:1428
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1056
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:2008
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        
        PID:1040
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        System policy modification
        
        PID:1976
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        
        PID:1912
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        
        PID:1152
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1520
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        System policy modification
        
        PID:1164
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:892
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        System policy modification
        
        PID:1276
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        
        PID:1916
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:1768
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        
        PID:1828
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        System policy modification
        
        PID:1676
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
        10⤵
        
        PID:616
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        System policy modification
        
        PID:1564
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        9⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        9⤵
        System policy modification
        
        PID:944
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1824
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        10⤵
        System policy modification
        
        PID:1620
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        10⤵
        
        PID:1584
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
        11⤵
        
        PID:464
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:844
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
        11⤵
        System policy modification
        
        PID:1604
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
        11⤵
        System policy modification
        
        PID:2028
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        10⤵
        
        PID:1904
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        10⤵
        
        PID:1496
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        10⤵
        
        PID:1920
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:992
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:816
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        10⤵
        
        PID:1316
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        10⤵
        
        PID:1676
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        10⤵
        
        PID:1324
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1640
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:1060
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        9⤵
        
        PID:388
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        
        PID:1992
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:1712
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1604
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        9⤵
        
        PID:2028
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1764
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        System policy modification
        
        PID:1592
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:1468
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:1452
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:1380
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:580
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:388
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        System policy modification
        
        PID:1996
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1640
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        10⤵
        
        PID:1452
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        11⤵
        
        PID:320
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        10⤵
        
        PID:1904
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:2204
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        10⤵
        
        PID:2444
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        10⤵
        
        PID:2604
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:2760
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        9⤵
        
        PID:1196
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:2012
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        
        PID:268
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        
        PID:1740
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        
        PID:1068
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        9⤵
        
        PID:1164
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        
        PID:1832
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
        11⤵
        
        PID:1448
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
        12⤵
        
        PID:980
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        11⤵
        
        PID:976
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        11⤵
        
        PID:2180
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        10⤵
        
        PID:1984
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        10⤵
        
        PID:2188
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
        10⤵
        
        PID:2412
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        8⤵
        Drops file in Program Files directory
        
        PID:816
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
        9⤵
        
        PID:1792
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
        9⤵
        System policy modification
        
        PID:1916
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
        10⤵
        System policy modification
        
        PID:1664
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        
        PID:944
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
        11⤵
        
        PID:1476
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
        10⤵
        
        PID:1204
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
        10⤵
        
        PID:2212
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
        10⤵
        
        PID:2452
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:2628
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
        9⤵
        
        PID:1472
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
        9⤵
        
        PID:2220
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1468
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        
        PID:2016
        
        C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        
        PID:1564
        
        C:\Program Files\Java\jre7\bin\plugin2\System Restore.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\System Restore.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        
        PID:1200
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:1276
        
        C:\Program Files\Java\jre7\lib\update.exe
        
        "C:\Program Files\Java\jre7\lib\update.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:1504
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        8⤵
        System policy modification
        
        PID:1356
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        8⤵
        
        PID:1184
        
        C:\Program Files\Java\jre7\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
        8⤵
        
        PID:1640
        
        C:\Program Files\Java\jre7\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
        8⤵
        
        PID:664
        
        C:\Program Files\Java\jre7\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
        8⤵
        
        PID:2252
        
        C:\Program Files\Java\jre7\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
        8⤵
        
        PID:2436
        
        C:\Program Files\Java\jre7\lib\images\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
        8⤵
        
        PID:2564
        
        C:\Program Files\Java\jre7\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
        8⤵
        
        PID:2732
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1980
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        Drops file in Program Files directory
        
        PID:268
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:2004
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        
        PID:1464
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:1992
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1904
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        
        PID:1912
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        Drops file in Program Files directory
        
        PID:624
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        7⤵
        
        PID:744
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1192
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        7⤵
        
        PID:1468
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        7⤵
        
        PID:1316
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        7⤵
        
        PID:2092
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        7⤵
        
        PID:2292
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:1516
        
        C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
        7⤵
        
        PID:1496
        
        C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
        7⤵
        
        PID:1296
        
        C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
        7⤵
        
        PID:1720
        
        C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
        7⤵
        
        PID:464
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
        7⤵
        
        PID:2244
        
        C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
        7⤵
        
        PID:2404
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:2000
      - C:\Program Files\Microsoft Games\Minesweeper\update.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\update.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:2140
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        
        PID:2336
      - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        
        PID:2520
      - C:\Program Files\Microsoft Games\Purble Place\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
        6⤵
        
        PID:2684
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        
        PID:1556
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        Drops file in Program Files directory
        
        PID:976
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:892
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1040
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        Drops file in Program Files directory
        
        PID:1352
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:748
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:1724
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:520
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:2164
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:2368
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:2540
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1052
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2124
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2328
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2492
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:2660
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1072
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1464
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1160
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:364
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        System policy modification
        
        PID:624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:616
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1468
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:1908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        System policy modification
        
        PID:1916
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1904
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1496
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1688
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        System policy modification
        
        PID:336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:1452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        System policy modification
        
        PID:1584
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        System policy modification
        
        PID:2000
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:1460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        System policy modification
        
        PID:1152
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        Drops file in Program Files directory
        
        PID:1908
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:1356
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        
        PID:696
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:1548
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1672
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:1536
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        System policy modification
        
        PID:1824
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:1408
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:964
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1704
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1468
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        System policy modification
        
        PID:596
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:980
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:544
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        Drops file in Program Files directory
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:456
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:580
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1324
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:1296
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        System policy modification
        
        PID:1640
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Drops file in Program Files directory
        
        PID:1268
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        System policy modification
        
        PID:1060
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:1752
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:884
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        System policy modification
        
        PID:1992
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:1460
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:852
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:1384
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1112
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        
        PID:1292
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:1356
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1952
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:1504
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1528
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:1296
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        
        PID:1564
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        
        PID:1816
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:560
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:884
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        
        PID:464
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:860
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        
        PID:1584
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:1224
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1552
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:816
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:1676
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:904
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        
        PID:1512
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1664
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:464
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        System policy modification
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        
        PID:860
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:1952
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        System policy modification
        
        PID:1356
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:456
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:644
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        9⤵
        
        PID:860
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        9⤵
        
        PID:980
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        9⤵
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        9⤵
        
        PID:2004
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        9⤵
        
        PID:1908
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        9⤵
        System policy modification
        
        PID:1924
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        9⤵
        
        PID:580
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        9⤵
        
        PID:2056
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        9⤵
        
        PID:2276
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        9⤵
        
        PID:2464
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        9⤵
        
        PID:2572
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        9⤵
        
        PID:2716
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:1548
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        8⤵
        
        PID:764
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:364
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        
        PID:1960
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        8⤵
        
        PID:1544
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:1384
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2196
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:2420
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        7⤵
        
        PID:2612
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        7⤵
        
        PID:2768
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        System policy modification
        
        PID:616
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1384
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1564
      - C:\Program Files (x86)\Common Files\System\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\System Restore.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1528
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:1116
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:748
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\update.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:2228
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2428
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2548
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:2172
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:2396
        
        C:\Program Files (x86)\Common Files\System\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2596
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:2752
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1648
      - C:\Program Files (x86)\Google\CrashReports\System Restore.exe
        
        "C:\Program Files (x86)\Google\CrashReports\System Restore.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:1184
      - C:\Program Files (x86)\Google\Policies\update.exe
        
        "C:\Program Files (x86)\Google\Policies\update.exe" C:\Program Files (x86)\Google\Policies\
        6⤵
        
        PID:1800
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:1740
      - C:\Program Files (x86)\Google\Update\data.exe
        
        "C:\Program Files (x86)\Google\Update\data.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1152
        
        C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.71\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.71\
        7⤵
        
        PID:1920
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:432
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        
        PID:1192
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2068
        
        C:\Program Files (x86)\Google\Update\Offline\update.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\update.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2300
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:336
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        
        PID:980
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:1592
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1992
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:2100
      - C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:2284
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        
        PID:2472
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:2620
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:1200
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        Drops file in Program Files directory
        
        PID:1896
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:1912
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\update.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        8⤵
        
        PID:860
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        8⤵
        
        PID:2084
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1668
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2132
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:2320
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2504
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2652
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:1832
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:520
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:1544
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1800
      - C:\Users\Admin\Documents\update.exe
        
        C:\Users\Admin\Documents\update.exe C:\Users\Admin\Documents\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1896
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:2016
      - C:\Users\Admin\Favorites\System Restore.exe
        
        "C:\Users\Admin\Favorites\System Restore.exe" C:\Users\Admin\Favorites\
        6⤵
        
        PID:820
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:1556
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1516
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2000
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1992
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:1040
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1908
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:1544
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:1688
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        System policy modification
        
        PID:1552
      - C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        6⤵
        
        PID:624
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:988
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1428
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:1084
      - C:\Users\Public\Recorded TV\data.exe
        
        "C:\Users\Public\Recorded TV\data.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1732
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:1576
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1124
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        
        PID:1080
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:572
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:1632
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        System policy modification
        
        PID:1204
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        
        PID:988
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:112
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:944
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:2260
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:2388
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:2556
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2724
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2016
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2236
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2380
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2584
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        
        PID:2708
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:676
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:560
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
C:\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
C:\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
cbd29d9c8999659a2a51c45f89fa7f32

SHA1
ff94f8bfdabfd10074281d34ece91cba573a1cb4

SHA256
8fb27e010fe07d511c842337dbbb1f5cfd67ab6f486c816ea4e6ba4da400fa17

SHA512
d691f33476b4793a7b0be67d4df42e39cea692bb7dd0d94195c91aa015df5672f7f5afbe15e9cd6db457c0dc54fb23f62a46411714ff3f20dc54da21448ab4af

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
cbd29d9c8999659a2a51c45f89fa7f32

SHA1
ff94f8bfdabfd10074281d34ece91cba573a1cb4

SHA256
8fb27e010fe07d511c842337dbbb1f5cfd67ab6f486c816ea4e6ba4da400fa17

SHA512
d691f33476b4793a7b0be67d4df42e39cea692bb7dd0d94195c91aa015df5672f7f5afbe15e9cd6db457c0dc54fb23f62a46411714ff3f20dc54da21448ab4af

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
C:\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
C:\Program Files\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
C:\Users\Admin\AppData\Local\Temp\2321522944\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2321522944\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
C:\backup.exe

Filesize
72KB

MD5
06ec0caa97c74bbcdef2c05238c1d45e

SHA1
c890b45f43d4ec09fbc1c19290f6010baec23c9e

SHA256
02a8d2e8cb5c5d301135f411786cd612393c3559ebe217930d95ebdc8d4a5d34

SHA512
a8c552c4f5b640396bbadeb8ef7f117ed8ad0fbbf36c6380d67629f8261a97ae94649b072cb4a6e85f9bd9b3dfbf5f6bc4d77fa50c8d6308cfafd878a81c5e31

Download Submit
C:\backup.exe

Filesize
72KB

MD5
06ec0caa97c74bbcdef2c05238c1d45e

SHA1
c890b45f43d4ec09fbc1c19290f6010baec23c9e

SHA256
02a8d2e8cb5c5d301135f411786cd612393c3559ebe217930d95ebdc8d4a5d34

SHA512
a8c552c4f5b640396bbadeb8ef7f117ed8ad0fbbf36c6380d67629f8261a97ae94649b072cb4a6e85f9bd9b3dfbf5f6bc4d77fa50c8d6308cfafd878a81c5e31

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
\PerfLogs\Admin\System Restore.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
\Program Files\Common Files\Microsoft Shared\data.exe

Filesize
72KB

MD5
100d3ec44a76b1e88b42a1a1ac2cadbb

SHA1
362d1aa8a4f83422861c6ca8610ff44a37ccc044

SHA256
173139e6bad4a21c12791133fab640bdfd4c1bc9cb7c1beef9cb3c253470b4f8

SHA512
a30b02d0f85e3f922914b5c2d8993bd083df85ec44930be84a9ee35e3ce0f52375ab6aa68355aae1671be52c78f9eb960ff025c77eab9632e73a9b1acfc1b93c

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
cbd29d9c8999659a2a51c45f89fa7f32

SHA1
ff94f8bfdabfd10074281d34ece91cba573a1cb4

SHA256
8fb27e010fe07d511c842337dbbb1f5cfd67ab6f486c816ea4e6ba4da400fa17

SHA512
d691f33476b4793a7b0be67d4df42e39cea692bb7dd0d94195c91aa015df5672f7f5afbe15e9cd6db457c0dc54fb23f62a46411714ff3f20dc54da21448ab4af

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\data.exe

Filesize
72KB

MD5
cbd29d9c8999659a2a51c45f89fa7f32

SHA1
ff94f8bfdabfd10074281d34ece91cba573a1cb4

SHA256
8fb27e010fe07d511c842337dbbb1f5cfd67ab6f486c816ea4e6ba4da400fa17

SHA512
d691f33476b4793a7b0be67d4df42e39cea692bb7dd0d94195c91aa015df5672f7f5afbe15e9cd6db457c0dc54fb23f62a46411714ff3f20dc54da21448ab4af

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
72KB

MD5
6dcc0c27b377f1015d3ccd6576c9bd99

SHA1
52c98f62c24040f15d09202f94fa6e73a4fbfe0b

SHA256
2406d5973fa903af9d89ecbd24607e354f3dd6995c84f260260007570179d32c

SHA512
2e12f9faf589d79330bc333056c05fa19a45acae803a49cf444283f97658d122f792e2187004a7e9ac5cd443ccc7b8737800ba4d32bfa2ee9608b94195002557

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
cbd29d9c8999659a2a51c45f89fa7f32

SHA1
ff94f8bfdabfd10074281d34ece91cba573a1cb4

SHA256
8fb27e010fe07d511c842337dbbb1f5cfd67ab6f486c816ea4e6ba4da400fa17

SHA512
d691f33476b4793a7b0be67d4df42e39cea692bb7dd0d94195c91aa015df5672f7f5afbe15e9cd6db457c0dc54fb23f62a46411714ff3f20dc54da21448ab4af

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe

Filesize
72KB

MD5
cbd29d9c8999659a2a51c45f89fa7f32

SHA1
ff94f8bfdabfd10074281d34ece91cba573a1cb4

SHA256
8fb27e010fe07d511c842337dbbb1f5cfd67ab6f486c816ea4e6ba4da400fa17

SHA512
d691f33476b4793a7b0be67d4df42e39cea692bb7dd0d94195c91aa015df5672f7f5afbe15e9cd6db457c0dc54fb23f62a46411714ff3f20dc54da21448ab4af

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe

Filesize
72KB

MD5
94fde72bcc593d2d96902894d9e9b397

SHA1
42855c6c9a4d581312326d757c9ef752ddd400b2

SHA256
16fbfddad10ce217a1af2bbf1a78f88f0f8a816552053c010f16376607d47f03

SHA512
e345f593546cdac37fa1f4918580f6bd7d6ca3a1de2e0cd645a759b2c30ea53f136d9e053c2148dc1302ccd0a5457a2515648750b0ed8b3445030966a6fc96c0

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
\Program Files\Common Files\backup.exe

Filesize
72KB

MD5
7159aef9fe18f0021294ae6286b01b4d

SHA1
8a07675feed3d53112e4efbbc2bc26edfd824280

SHA256
1ac85ba3614fd29eef1eddebd5f8d28577e128f2eab317b2a7aee82502997e55

SHA512
dfdf8d194707badd615dec19afb6351a1bc48e697aec636de87d5fb4b52b767fa63f942f153cb9dc48829d9e38068d7d7c0b7be79546f55f13907e413703185f

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
\Program Files\backup.exe

Filesize
72KB

MD5
2ab398428a7d7fcbf579274bef06d627

SHA1
5b05c4d7f692ad5ec0da11de4e5225c60a789225

SHA256
fd3d6e3e5fbbba81efe7663a720a627203595c992044ac2d68dcf76a6ba62cd6

SHA512
fd24189829c53f0245fb1541125e54fdeb55e5cf2bd5f4b44b167bd015e84d72fe87e88054dda938c65e8ba04e19b3a3bbd9a4cf771720dba0357297e938aa95

Download Submit
\Users\Admin\AppData\Local\Temp\2321522944\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\2321522944\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\Low\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe

Filesize
72KB

MD5
ff3091b75ad41e9a53c5bdfffe352cbf

SHA1
ce319c89e28f14ec5d9272fdb5a7868a7d031bc4

SHA256
5c1ab3cc76356000edcae45d494163cccc11fdeb1feba1dd7c09f6d18d8d9edf

SHA512
184e5dd24e24403afea2ea096306de7aa10cab88086b2fb19ef798d1ace166e7d3dfffb30a8701d3294d33a5ff5cb08aa9f0b8e21f1fe4988b162d7669c984c2

Download Submit
memory/2024-100-0x0000000074C71000-0x0000000074C73000-memory.dmp

Filesize
8KB

Download
memory/2024-98-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads