31e38cbcfb599bd96638600dd21f6a2da3daef06573dd6c58b1afa5826d3d4ef

Analysis

max time kernel
7s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

003f53171ae7b42843b6899409cd234b.exe
Size

72KB
MD5

003f53171ae7b42843b6899409cd234b
SHA1

5bc8326b6d9d4cd44a870866ac6b0dd01690ce89
SHA256

31e38cbcfb599bd96638600dd21f6a2da3daef06573dd6c58b1afa5826d3d4ef
SHA512

04ecede2f5034215adc89b2cc5ae7db4e043671cc33e7ab8a5eeffccbff086bdf0163e4ecd6f2ad4fa8a334e3b75ebb5b65f407999a37afa997c2e2d751f3000
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2V:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrPB

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	DllHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2532	backup.exe
3040	data.exe
2564	backup.exe
2760	backup.exe
2812	backup.exe
2624	backup.exe
2948	backup.exe
2528	backup.exe
2692	backup.exe
2472	backup.exe
2944	backup.exe
2168	backup.exe
1684	backup.exe
2900	backup.exe
2500	backup.exe
1124	backup.exe
2316	backup.exe
2016	backup.exe
700	backup.exe
1280	backup.exe
1200	backup.exe
1088	backup.exe
840	backup.exe
2356	data.exe
1600	backup.exe
1328	backup.exe
2456	backup.exe
900	backup.exe
2572	backup.exe
2696	backup.exe
2092	backup.exe
1808	backup.exe
1956	backup.exe
1576	backup.exe
2524	backup.exe
1324	backup.exe
2056	backup.exe
2324	backup.exe
2156	backup.exe
2852	backup.exe
2748	data.exe
2228	System Restore.exe
2892	update.exe
2628	backup.exe
2948	System Restore.exe
2884	backup.exe
1184	backup.exe
2932	backup.exe
2796	backup.exe
292	backup.exe
1688	backup.exe
1640	backup.exe
2368	update.exe
1596	backup.exe
1528	backup.exe
1684	backup.exe
2100	backup.exe
1740	System Restore.exe
2316	backup.exe
540	backup.exe
1488	backup.exe
1888	backup.exe
1540	backup.exe
2584	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2948	backup.exe
2948	backup.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2692	backup.exe
2692	backup.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2904	003f53171ae7b42843b6899409cd234b.exe
2168	backup.exe
2168	backup.exe
1684	backup.exe
1684	backup.exe
2168	backup.exe
2168	backup.exe
2500	backup.exe
2500	backup.exe
1124	backup.exe
1124	backup.exe
2500	backup.exe
2500	backup.exe
2016	backup.exe
2016	backup.exe
700	backup.exe
700	backup.exe
700	backup.exe
700	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1328	backup.exe
1328	backup.exe
1328	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe
1200	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\data.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe	data.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe	data.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2904	003f53171ae7b42843b6899409cd234b.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2904	003f53171ae7b42843b6899409cd234b.exe
2532	backup.exe
3040	data.exe
2564	backup.exe
2760	backup.exe
2812	backup.exe
2624	backup.exe
2948	backup.exe
2528	backup.exe
2692	backup.exe
2472	backup.exe
2944	backup.exe
2168	backup.exe
1684	backup.exe
2900	backup.exe
2500	backup.exe
1124	backup.exe
2316	backup.exe
2016	backup.exe
700	backup.exe
1280	backup.exe
1200	backup.exe
1088	backup.exe
840	data.exe
2356	data.exe
1600	backup.exe
1328	backup.exe
2456	backup.exe
900	backup.exe
2572	backup.exe
2696	backup.exe
2092	backup.exe
1808	backup.exe
1956	backup.exe
1576	backup.exe
2524	backup.exe
1324	backup.exe
2056	backup.exe
2324	backup.exe
2156	backup.exe
2852	backup.exe
2748	data.exe
2228	System Restore.exe
2892	update.exe
2628	backup.exe
2948	System Restore.exe
2884	backup.exe
1184	backup.exe
2932	backup.exe
2796	backup.exe
292	backup.exe
1688	backup.exe
1640	backup.exe
2368	update.exe
1596	backup.exe
1528	backup.exe
1684	backup.exe
2100	backup.exe
1740	System Restore.exe
2316	backup.exe
540	backup.exe
1488	backup.exe
1888	backup.exe
1540	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2532	2904	003f53171ae7b42843b6899409cd234b.exe	28
PID 2904 wrote to memory of 2532	2904	003f53171ae7b42843b6899409cd234b.exe	28
PID 2904 wrote to memory of 2532	2904	003f53171ae7b42843b6899409cd234b.exe	28
PID 2904 wrote to memory of 2532	2904	003f53171ae7b42843b6899409cd234b.exe	28
PID 2904 wrote to memory of 3040	2904	003f53171ae7b42843b6899409cd234b.exe	29
PID 2904 wrote to memory of 3040	2904	003f53171ae7b42843b6899409cd234b.exe	29
PID 2904 wrote to memory of 3040	2904	003f53171ae7b42843b6899409cd234b.exe	29
PID 2904 wrote to memory of 3040	2904	003f53171ae7b42843b6899409cd234b.exe	29
PID 2904 wrote to memory of 2564	2904	003f53171ae7b42843b6899409cd234b.exe	30
PID 2904 wrote to memory of 2564	2904	003f53171ae7b42843b6899409cd234b.exe	30
PID 2904 wrote to memory of 2564	2904	003f53171ae7b42843b6899409cd234b.exe	30
PID 2904 wrote to memory of 2564	2904	003f53171ae7b42843b6899409cd234b.exe	30
PID 2904 wrote to memory of 2760	2904	003f53171ae7b42843b6899409cd234b.exe	31
PID 2904 wrote to memory of 2760	2904	003f53171ae7b42843b6899409cd234b.exe	31
PID 2904 wrote to memory of 2760	2904	003f53171ae7b42843b6899409cd234b.exe	31
PID 2904 wrote to memory of 2760	2904	003f53171ae7b42843b6899409cd234b.exe	31
PID 2904 wrote to memory of 2812	2904	003f53171ae7b42843b6899409cd234b.exe	32
PID 2904 wrote to memory of 2812	2904	003f53171ae7b42843b6899409cd234b.exe	32
PID 2904 wrote to memory of 2812	2904	003f53171ae7b42843b6899409cd234b.exe	32
PID 2904 wrote to memory of 2812	2904	003f53171ae7b42843b6899409cd234b.exe	32
PID 2904 wrote to memory of 2624	2904	003f53171ae7b42843b6899409cd234b.exe	33
PID 2904 wrote to memory of 2624	2904	003f53171ae7b42843b6899409cd234b.exe	33
PID 2904 wrote to memory of 2624	2904	003f53171ae7b42843b6899409cd234b.exe	33
PID 2904 wrote to memory of 2624	2904	003f53171ae7b42843b6899409cd234b.exe	33
PID 2904 wrote to memory of 2948	2904	003f53171ae7b42843b6899409cd234b.exe	34
PID 2904 wrote to memory of 2948	2904	003f53171ae7b42843b6899409cd234b.exe	34
PID 2904 wrote to memory of 2948	2904	003f53171ae7b42843b6899409cd234b.exe	34
PID 2904 wrote to memory of 2948	2904	003f53171ae7b42843b6899409cd234b.exe	34
PID 2948 wrote to memory of 2528	2948	backup.exe	35
PID 2948 wrote to memory of 2528	2948	backup.exe	35
PID 2948 wrote to memory of 2528	2948	backup.exe	35
PID 2948 wrote to memory of 2528	2948	backup.exe	35
PID 2904 wrote to memory of 2692	2904	003f53171ae7b42843b6899409cd234b.exe	36
PID 2904 wrote to memory of 2692	2904	003f53171ae7b42843b6899409cd234b.exe	36
PID 2904 wrote to memory of 2692	2904	003f53171ae7b42843b6899409cd234b.exe	36
PID 2904 wrote to memory of 2692	2904	003f53171ae7b42843b6899409cd234b.exe	36
PID 2692 wrote to memory of 2472	2692	backup.exe	37
PID 2692 wrote to memory of 2472	2692	backup.exe	37
PID 2692 wrote to memory of 2472	2692	backup.exe	37
PID 2692 wrote to memory of 2472	2692	backup.exe	37
PID 2904 wrote to memory of 2944	2904	003f53171ae7b42843b6899409cd234b.exe	38
PID 2904 wrote to memory of 2944	2904	003f53171ae7b42843b6899409cd234b.exe	38
PID 2904 wrote to memory of 2944	2904	003f53171ae7b42843b6899409cd234b.exe	38
PID 2904 wrote to memory of 2944	2904	003f53171ae7b42843b6899409cd234b.exe	38
PID 2532 wrote to memory of 2168	2532	backup.exe	39
PID 2532 wrote to memory of 2168	2532	backup.exe	39
PID 2532 wrote to memory of 2168	2532	backup.exe	39
PID 2532 wrote to memory of 2168	2532	backup.exe	39
PID 2168 wrote to memory of 1684	2168	backup.exe	40
PID 2168 wrote to memory of 1684	2168	backup.exe	40
PID 2168 wrote to memory of 1684	2168	backup.exe	40
PID 2168 wrote to memory of 1684	2168	backup.exe	40
PID 1684 wrote to memory of 2900	1684	backup.exe	41
PID 1684 wrote to memory of 2900	1684	backup.exe	41
PID 1684 wrote to memory of 2900	1684	backup.exe	41
PID 1684 wrote to memory of 2900	1684	backup.exe	41
PID 2168 wrote to memory of 2500	2168	backup.exe	42
PID 2168 wrote to memory of 2500	2168	backup.exe	42
PID 2168 wrote to memory of 2500	2168	backup.exe	42
PID 2168 wrote to memory of 2500	2168	backup.exe	42
PID 2500 wrote to memory of 1124	2500	backup.exe	43
PID 2500 wrote to memory of 1124	2500	backup.exe	43
PID 2500 wrote to memory of 1124	2500	backup.exe	43
PID 2500 wrote to memory of 1124	2500	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	003f53171ae7b42843b6899409cd234b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	003f53171ae7b42843b6899409cd234b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\003f53171ae7b42843b6899409cd234b.exe
"C:\Users\Admin\AppData\Local\Temp\003f53171ae7b42843b6899409cd234b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904
- C:\Users\Admin\AppData\Local\Temp\2676121189\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2676121189\backup.exe C:\Users\Admin\AppData\Local\Temp\2676121189\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\backup.exe
    \backup.exe \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2900
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1124
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:2616
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2016
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        
        PID:2712
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:1148
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        Disables RegEdit via registry modification
        
        PID:3020
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:2792
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
        6⤵
        
        PID:1344
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1604
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        
        PID:1760
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:1756
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        
        PID:2964
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1580
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        7⤵
        
        PID:1264
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        7⤵
        
        PID:1700
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        7⤵
        
        PID:2708
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        7⤵
        
        PID:1608
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        7⤵
        
        PID:2732
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2388
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:2044
        
        C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
        7⤵
        
        PID:2820
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
        7⤵
        
        PID:2680
        
        C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
        7⤵
        
        PID:2672
        
        C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
        7⤵
        
        PID:2656
        
        C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
        7⤵
        
        PID:2724
        
        C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
        7⤵
        
        PID:2840
        
        C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\
        7⤵
        
        PID:312
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:2652
        
        C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
        7⤵
        
        PID:2928
        
        C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
        7⤵
        
        PID:2960
        
        C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
        7⤵
        
        PID:2040
        
        C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
        7⤵
        
        PID:2736
        
        C:\Program Files\Microsoft Games\Mahjong\en-US\update.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\en-US\update.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
        7⤵
        
        PID:2780
        
        C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
        7⤵
        
        PID:2412
      - C:\Program Files\Microsoft Games\More Games\data.exe
        
        "C:\Program Files\Microsoft Games\More Games\data.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        
        PID:2996
        
        C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
        7⤵
        
        PID:808
        
        C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2360
        
        C:\Program Files\Microsoft Games\More Games\it-IT\data.exe
        
        "C:\Program Files\Microsoft Games\More Games\it-IT\data.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
        7⤵
        
        PID:1744
        
        C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
        7⤵
        
        PID:376
        
        C:\Program Files\Microsoft Games\More Games\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\
        7⤵
        
        PID:2112
        
        C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
        
        C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\
        7⤵
        
        PID:808
      - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        
        PID:1856
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\
        7⤵
        
        PID:2708
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\
        8⤵
        
        PID:2828
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\
        8⤵
        
        PID:2820
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\
        8⤵
        
        PID:2676
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\
        8⤵
        
        PID:1872
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\
        8⤵
        
        PID:2724
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\
        8⤵
        
        PID:2840
      - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:2340
      - C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\
        6⤵
        
        PID:1996
      - C:\Program Files\Microsoft Games\Solitaire\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\
        6⤵
        
        PID:1864
      - C:\Program Files\Microsoft Games\Purble Place\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
        6⤵
        
        PID:1612
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:1600
      - C:\Program Files\Mozilla Firefox\uninstall\update.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\update.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1816
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1332
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:1608
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:1324
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        8⤵
        System policy modification
        
        PID:1724
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:1684
    - - C:\Program Files\Reference Assemblies\System Restore.exe
        
        "C:\Program Files\Reference Assemblies\System Restore.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:2836
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:2076
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        Disables RegEdit via registry modification
        
        PID:900
      - C:\Program Files\Windows Defender\en-US\backup.exe
        
        "C:\Program Files\Windows Defender\en-US\backup.exe" C:\Program Files\Windows Defender\en-US\
        6⤵
        
        PID:1732
      - C:\Program Files\Windows Defender\es-ES\System Restore.exe
        
        "C:\Program Files\Windows Defender\es-ES\System Restore.exe" C:\Program Files\Windows Defender\es-ES\
        6⤵
        
        PID:1816
      - C:\Program Files\Windows Defender\fr-FR\backup.exe
        
        "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2756
      - C:\Program Files\Windows Defender\it-IT\backup.exe
        
        "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
        6⤵
        
        PID:300
      - C:\Program Files\Windows Defender\ja-JP\backup.exe
        
        "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
        6⤵
        
        PID:2188
    - - C:\Program Files\Windows Journal\backup.exe
        
        "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
        5⤵
        
        PID:1640
      - C:\Program Files\Windows Journal\de-DE\backup.exe
        
        "C:\Program Files\Windows Journal\de-DE\backup.exe" C:\Program Files\Windows Journal\de-DE\
        6⤵
        
        PID:2292
      - C:\Program Files\Windows Journal\en-US\backup.exe
        
        "C:\Program Files\Windows Journal\en-US\backup.exe" C:\Program Files\Windows Journal\en-US\
        6⤵
        
        PID:1624
      - C:\Program Files\Windows Journal\es-ES\update.exe
        
        "C:\Program Files\Windows Journal\es-ES\update.exe" C:\Program Files\Windows Journal\es-ES\
        6⤵
        
        PID:2380
      - C:\Program Files\Windows Journal\fr-FR\backup.exe
        
        "C:\Program Files\Windows Journal\fr-FR\backup.exe" C:\Program Files\Windows Journal\fr-FR\
        6⤵
        
        PID:2464
      - C:\Program Files\Windows Journal\it-IT\backup.exe
        
        "C:\Program Files\Windows Journal\it-IT\backup.exe" C:\Program Files\Windows Journal\it-IT\
        6⤵
        
        PID:2816
      - C:\Program Files\Windows Journal\ja-JP\backup.exe
        
        "C:\Program Files\Windows Journal\ja-JP\backup.exe" C:\Program Files\Windows Journal\ja-JP\
        6⤵
        
        PID:2672
      - C:\Program Files\Windows Journal\Templates\backup.exe
        
        "C:\Program Files\Windows Journal\Templates\backup.exe" C:\Program Files\Windows Journal\Templates\
        6⤵
        
        PID:1804
    - - C:\Program Files\Windows Mail\backup.exe
        
        "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
        5⤵
        
        PID:2968
    - - C:\Program Files\Windows Media Player\backup.exe
        
        "C:\Program Files\Windows Media Player\backup.exe" C:\Program Files\Windows Media Player\
        5⤵
        
        PID:2140
    - - C:\Program Files\Windows NT\System Restore.exe
        
        "C:\Program Files\Windows NT\System Restore.exe" C:\Program Files\Windows NT\
        5⤵
        
        PID:2416
    - - C:\Program Files\Windows Photo Viewer\backup.exe
        
        "C:\Program Files\Windows Photo Viewer\backup.exe" C:\Program Files\Windows Photo Viewer\
        5⤵
        
        PID:1880
    - - C:\Program Files\Windows Portable Devices\backup.exe
        
        "C:\Program Files\Windows Portable Devices\backup.exe" C:\Program Files\Windows Portable Devices\
        5⤵
        
        PID:2168
    - - C:\Program Files\Windows Sidebar\backup.exe
        
        "C:\Program Files\Windows Sidebar\backup.exe" C:\Program Files\Windows Sidebar\
        5⤵
        
        PID:2128
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      PID:908
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2488
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:2064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:848
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        System policy modification
        
        PID:812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2516
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1228
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1828
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2644
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:3068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:1892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:376
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:692
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2988
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2400
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1940
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1504
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2980
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        
        PID:3028
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2140
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2748
        
        C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
        10⤵
        
        PID:2960
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        
        PID:2636
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        
        PID:2876
        
        C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\
        12⤵
        
        PID:2944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        
        PID:1964
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:700
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1972
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        
        PID:588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        
        PID:2076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        
        PID:1752
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:3020
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:2448
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        
        PID:1788
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:1704
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:880
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        
        PID:2828
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:2784
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1712
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:764
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:1672
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:3048
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:2656
      - C:\Program Files (x86)\Common Files\DESIGNER\update.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\update.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:292
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:2100
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        
        PID:2416
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:2316
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:3020
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1440
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        
        PID:2884
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:2132
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        
        PID:784
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:2756
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        
        PID:2980
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        
        PID:1608
        
        C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\
        9⤵
        
        PID:764
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:300
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        
        PID:2952
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        
        PID:2956
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:2904
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1328
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        
        PID:1944
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:1804
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        
        PID:320
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        
        PID:1948
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        
        PID:2472
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:1604
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2944
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        9⤵
        
        PID:2512
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        9⤵
        
        PID:2632
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        9⤵
        
        PID:2112
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        9⤵
        
        PID:1964
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        9⤵
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        9⤵
        
        PID:1440
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        9⤵
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        9⤵
        
        PID:1648
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        9⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:980
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        9⤵
        
        PID:1880
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        9⤵
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1768
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
        9⤵
        
        PID:2676
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
        9⤵
        
        PID:2880
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
        9⤵
        
        PID:2940
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
        9⤵
        
        PID:3032
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
        9⤵
        
        PID:552
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2652
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        8⤵
        
        PID:2888
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:2084
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        
        PID:1344
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:612
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        System policy modification
        
        PID:628
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
        8⤵
        System policy modification
        
        PID:2536
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
        8⤵
        
        PID:1700
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
        8⤵
        
        PID:2924
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
        8⤵
        
        PID:2224
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
        8⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        System policy modification
        
        PID:1148
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        7⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2540
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
        8⤵
        
        PID:1292
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
        8⤵
        
        PID:2736
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
        8⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
        8⤵
        
        PID:3056
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
        8⤵
        
        PID:2096
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\
        8⤵
        
        PID:2584
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\
        8⤵
        
        PID:2768
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\
        8⤵
        
        PID:2188
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\
        8⤵
        
        PID:1832
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\
        8⤵
        
        PID:2904
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\
        8⤵
        
        PID:636
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\
        8⤵
        
        PID:2264
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:976
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1368
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        7⤵
        
        PID:1668
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
        7⤵
        
        PID:1856
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\
        7⤵
        
        PID:1776
        
        C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\
        7⤵
        
        PID:2064
        
        C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\
        7⤵
        
        PID:1100
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\
        7⤵
        
        PID:804
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\
        7⤵
        
        PID:2492
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\
        7⤵
        
        PID:2612
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\
        7⤵
        
        PID:2344
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2012
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1580
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:1328
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        
        PID:2668
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:780
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2732
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:2164
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\update.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\update.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:1564
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3008
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:1612
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:548
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1948
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:1228
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        
        PID:1684
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
        7⤵
        
        PID:2664
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        
        PID:352
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2388
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2804
      - C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2380
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:1976
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:2128
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        
        PID:2100
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:1600
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:2052
    - - C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        
        PID:1512
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2408
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        
        PID:1052
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\System Restore.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:1756
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:2148
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:268
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        
        PID:3016
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        
        PID:2536
  - - C:\Users\backup.exe
      C:\Users\backup.exe C:\Users\
      4⤵
      PID:352
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System policy modification
        
        PID:1268
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:884
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:1032
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:2320
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        
        PID:2620
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:2952
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:3056
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1684
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:1092
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        
        PID:2728
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2340
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:1440
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:2488
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      PID:1860
    - - C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        5⤵
        
        PID:2376
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:2944
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        
        PID:576
    - - C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        5⤵
        
        PID:2976
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2200
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2556
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:2372
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\data.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\CRX_INSTALL\backup.exe
    C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\CRX_INSTALL\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2944

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1200
- C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
  2⤵
  PID:840
- C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
  2⤵
  PID:1600
- C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\update.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
  2⤵
  PID:1328
- C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
  2⤵
  PID:900
- C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2456
- - C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
    "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
    3⤵
    PID:2732
- C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
  2⤵
  PID:2356
- C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2092
- C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
  2⤵
  PID:1956
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
    3⤵
    PID:2156
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
    3⤵
    PID:2748
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
      4⤵
      PID:1872
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
      4⤵
      PID:2496
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
      4⤵
      PID:2672
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
      4⤵
      PID:2620
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
    3⤵
    PID:2228
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2852
  - - C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
      4⤵
      PID:2016
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2324
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
    3⤵
    PID:2524
- - C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
    3⤵
    PID:2752
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
      4⤵
      PID:2680
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
      4⤵
      PID:2408
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\data.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
      4⤵
      PID:320
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        5⤵
        
        PID:1280
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        5⤵
        
        PID:2100
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        5⤵
        
        PID:1964
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        5⤵
        
        PID:1344
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        5⤵
        
        PID:1096
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        5⤵
        
        PID:2180
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2792
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        5⤵
        
        PID:780
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        5⤵
        
        PID:1228
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
      4⤵
      PID:2920
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
      4⤵
      PID:1672
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
      4⤵
      PID:2496
- C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
  2⤵
  PID:2628
- C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
  2⤵
  PID:1184
- C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
  2⤵
  PID:2892
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
    3⤵
    PID:1612
  - - C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\
      4⤵
      PID:2628
  - - C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\
      4⤵
      PID:2736
  - - C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\
      4⤵
      PID:2704
  - - C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\
      4⤵
      PID:2936
  - - C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\
      4⤵
      PID:3060
  - - C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\
      4⤵
      Drops file in Program Files directory
      PID:2016
- C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
  2⤵
  PID:292
- C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1640
- C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
  2⤵
  PID:1596
- C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1684
- - C:\Program Files\VideoLAN\VLC\backup.exe
    "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
    3⤵
    PID:836
  - - C:\Program Files\VideoLAN\VLC\locale\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:1252
    - - C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        5⤵
        
        PID:1368
      - C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        6⤵
        
        PID:1812
      - C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        6⤵
        
        PID:2196
      - C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        6⤵
        
        PID:1992
    - - C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        5⤵
        
        PID:2380
      - C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        6⤵
        
        PID:2204
    - - C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1560
      - C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1496
    - - C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        5⤵
        
        PID:1732
      - C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        6⤵
        
        PID:1212
    - - C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        5⤵
        
        PID:1820
      - C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        6⤵
        
        PID:880
    - - C:\Program Files\VideoLAN\VLC\locale\as_IN\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\update.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        5⤵
        
        PID:3028
      - C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
        6⤵
        
        PID:2744
    - - C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        5⤵
        
        PID:1448
      - C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1872
    - - C:\Program Files\VideoLAN\VLC\locale\az\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\az\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\
        5⤵
        
        PID:2044
    - - C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
        5⤵
        
        PID:2656
      - C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1612
    - - C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
        5⤵
        
        PID:2512
      - C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
        6⤵
        
        PID:2328
    - - C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
        5⤵
        
        PID:2316
      - C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
        6⤵
        
        PID:1428
    - - C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
        5⤵
        
        PID:2268
      - C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
        6⤵
        
        PID:2464
    - - C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
        5⤵
        
        PID:2132
    - - C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
        5⤵
        
        PID:2904
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2828
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        6⤵
        
        PID:1956
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        6⤵
        
        PID:2032
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        6⤵
        
        PID:3040
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        6⤵
        
        PID:1704
    - - C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1692
    - - C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
        5⤵
        
        PID:2120
      - C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
        6⤵
        
        PID:3044
    - - C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
        5⤵
        
        PID:2372
      - C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
        6⤵
        
        PID:2976
    - - C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\
        5⤵
        
        PID:2724
      - C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2708
    - - C:\Program Files\VideoLAN\VLC\locale\co\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\
        5⤵
        
        PID:1720
      - C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
        6⤵
        
        PID:2928
    - - C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
        5⤵
        
        PID:2052
      - C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
        6⤵
        
        PID:2944
    - - C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
        5⤵
        System policy modification
        
        PID:2200
      - C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
        6⤵
        
        PID:1596
    - - C:\Program Files\VideoLAN\VLC\locale\da\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\
        5⤵
        
        PID:1344
      - C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
        6⤵
        
        PID:1096
    - - C:\Program Files\VideoLAN\VLC\locale\de\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\de\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\
        5⤵
        
        PID:2884
      - C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\
        6⤵
        
        PID:1032
        
        C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\
        7⤵
        
        PID:1200
    - - C:\Program Files\VideoLAN\VLC\locale\el\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\el\update.exe" C:\Program Files\VideoLAN\VLC\locale\el\
        5⤵
        
        PID:612
      - C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\
        6⤵
        
        PID:2296
    - - C:\Program Files\VideoLAN\VLC\locale\en_GB\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\en_GB\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\
        5⤵
        
        PID:2132
      - C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\
        6⤵
        
        PID:1356
    - - C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
        5⤵
        
        PID:784
      - C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\
        6⤵
        
        PID:2332
    - - C:\Program Files\VideoLAN\VLC\locale\et\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2400
      - C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\
        6⤵
        
        PID:1880
    - - C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
        5⤵
        
        PID:2824
      - C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\
        6⤵
        
        PID:540
    - - C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
        5⤵
        
        PID:2008
      - C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\
        6⤵
        
        PID:2680
    - - C:\Program Files\VideoLAN\VLC\locale\ff\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ff\update.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
        5⤵
        System policy modification
        
        PID:2892
      - C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\
        6⤵
        
        PID:2628
    - - C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
        5⤵
        
        PID:2672
      - C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\
        6⤵
        
        PID:804
    - - C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\
        5⤵
        
        PID:2632
      - C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\
        6⤵
        
        PID:2840
    - - C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\
        5⤵
        
        PID:1864
      - C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
        6⤵
        
        PID:1888
      - C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\
        6⤵
        
        PID:1784
    - - C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:808
      - C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
        6⤵
        
        PID:3052
    - - C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\
        5⤵
        
        PID:1696
      - C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\
        6⤵
        Drops file in Program Files directory
        
        PID:2592
    - - C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\
        5⤵
        
        PID:2144
      - C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
        6⤵
        
        PID:1300
    - - C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\
        5⤵
        
        PID:1800
      - C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\
        6⤵
        
        PID:1304
    - - C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\
        5⤵
        
        PID:296
      - C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\
        6⤵
        
        PID:2120
    - - C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
        5⤵
        
        PID:2760
      - C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\
        6⤵
        
        PID:2768
    - - C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
        5⤵
        
        PID:2740
      - C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\
        6⤵
        
        PID:2612
    - - C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\
        5⤵
        
        PID:3056
      - C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\
        6⤵
        
        PID:2664
    - - C:\Program Files\VideoLAN\VLC\locale\it\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\
        5⤵
        
        PID:1648
      - C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
        6⤵
        
        PID:2700
    - - C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\
        5⤵
        
        PID:1820
      - C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\
        6⤵
        
        PID:2816
    - - C:\Program Files\VideoLAN\VLC\locale\km\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\
        5⤵
        
        PID:2284
      - C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\
        6⤵
        
        PID:2008
    - - C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\
        5⤵
        
        PID:2852
    - - C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\
        5⤵
        
        PID:1408
    - - C:\Program Files\VideoLAN\VLC\locale\is\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\is\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\
        5⤵
        
        PID:2596
    - - C:\Program Files\VideoLAN\VLC\locale\id\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\
        5⤵
        
        PID:1524
    - - C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\
        5⤵
        
        PID:2000
    - - C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\
        5⤵
        
        PID:2876
    - - C:\Program Files\VideoLAN\VLC\locale\hr\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\hr\
        5⤵
        Drops file in Program Files directory
        
        PID:2748
    - - C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
        5⤵
        
        PID:2956
      - C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\
        6⤵
        
        PID:2668
    - - C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\
        5⤵
        
        PID:2040
      - C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\
        6⤵
        
        PID:2888
    - - C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\
        5⤵
        
        PID:1676
      - C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
        6⤵
        
        PID:2912
    - - C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
        5⤵
        
        PID:2896
      - C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:2436
    - - C:\Program Files\VideoLAN\VLC\locale\lg\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\update.exe" C:\Program Files\VideoLAN\VLC\locale\lg\
        5⤵
        
        PID:1052
      - C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\
        6⤵
        
        PID:1760
    - - C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\
        5⤵
        
        PID:548
      - C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\
        6⤵
        
        PID:808
    - - C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\
        5⤵
        
        PID:488
      - C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\
        6⤵
        
        PID:676
    - - C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\
        5⤵
        
        PID:1308
      - C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\
        6⤵
        
        PID:2388
    - - C:\Program Files\VideoLAN\VLC\locale\mk\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mk\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\mk\
        5⤵
        
        PID:2808
      - C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\
        6⤵
        
        PID:1412
    - - C:\Program Files\VideoLAN\VLC\locale\ml\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ml\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1952
      - C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\
        6⤵
        
        PID:2744
    - - C:\Program Files\VideoLAN\VLC\locale\mn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mn\
        5⤵
        
        PID:2980
      - C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\
        6⤵
        
        PID:1712
    - - C:\Program Files\VideoLAN\VLC\locale\mr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mr\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2496
      - C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\
        6⤵
        
        PID:1304
    - - C:\Program Files\VideoLAN\VLC\locale\ms\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ms\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ms\
        5⤵
        
        PID:2928
      - C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\
        6⤵
        
        PID:2472
    - - C:\Program Files\VideoLAN\VLC\locale\my\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\my\backup.exe" C:\Program Files\VideoLAN\VLC\locale\my\
        5⤵
        
        PID:1672
      - C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\
        6⤵
        
        PID:1228
    - - C:\Program Files\VideoLAN\VLC\locale\nb\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nb\
        5⤵
        
        PID:1596
      - C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\
        6⤵
        
        PID:2644
    - - C:\Program Files\VideoLAN\VLC\locale\or\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\or\backup.exe" C:\Program Files\VideoLAN\VLC\locale\or\
        5⤵
        
        PID:2588
      - C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\
        6⤵
        
        PID:2120
    - - C:\Program Files\VideoLAN\VLC\locale\pa\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pa\
        5⤵
        
        PID:3040
      - C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\
        6⤵
        System policy modification
        
        PID:2696
    - - C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\
        5⤵
        
        PID:2300
      - C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\
        6⤵
        
        PID:1612
    - - C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pl\
        5⤵
        
        PID:1608
    - - C:\Program Files\VideoLAN\VLC\locale\oc\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\oc\backup.exe" C:\Program Files\VideoLAN\VLC\locale\oc\
        5⤵
        
        PID:2812
    - - C:\Program Files\VideoLAN\VLC\locale\nn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nn\
        5⤵
        
        PID:1032
    - - C:\Program Files\VideoLAN\VLC\locale\nl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nl\
        5⤵
        
        PID:2996
    - - C:\Program Files\VideoLAN\VLC\locale\ne\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ne\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ne\
        5⤵
        
        PID:1864
    - - C:\Program Files\VideoLAN\VLC\locale\pt_BR\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_BR\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_BR\
        5⤵
        
        PID:2636
      - C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\
        6⤵
        
        PID:1708
    - - C:\Program Files\VideoLAN\VLC\locale\pt_PT\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_PT\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_PT\
        5⤵
        
        PID:2820
      - C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\
        6⤵
        
        PID:1604
    - - C:\Program Files\VideoLAN\VLC\locale\ro\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ro\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ro\
        5⤵
        
        PID:2840
      - C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\
        6⤵
        
        PID:1428
    - - C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\
        5⤵
        
        PID:1812
      - C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2416
    - - C:\Program Files\VideoLAN\VLC\locale\si\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\si\update.exe" C:\Program Files\VideoLAN\VLC\locale\si\
        5⤵
        
        PID:2064
      - C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\
        6⤵
        
        PID:2304
    - - C:\Program Files\VideoLAN\VLC\locale\sk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sk\
        5⤵
        
        PID:912
      - C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\
        6⤵
        
        PID:2760
    - - C:\Program Files\VideoLAN\VLC\locale\sl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sl\
        5⤵
        
        PID:832
      - C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1248
    - - C:\Program Files\VideoLAN\VLC\locale\sq\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sq\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sq\
        5⤵
        
        PID:1596
      - C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\
        6⤵
        
        PID:1864
    - - C:\Program Files\VideoLAN\VLC\locale\sr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sr\
        5⤵
        
        PID:1300
    - - C:\Program Files\VideoLAN\VLC\locale\sv\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sv\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sv\
        5⤵
        
        PID:1712
    - - C:\Program Files\VideoLAN\VLC\locale\ta\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ta\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ta\
        5⤵
        
        PID:2288
    - - C:\Program Files\VideoLAN\VLC\locale\te\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\te\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\te\
        5⤵
        
        PID:2684
    - - C:\Program Files\VideoLAN\VLC\locale\tet\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tet\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tet\
        5⤵
        
        PID:2920
    - - C:\Program Files\VideoLAN\VLC\locale\th\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\th\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\th\
        5⤵
        
        PID:2180
    - - C:\Program Files\VideoLAN\VLC\locale\tl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tl\
        5⤵
        
        PID:2988
    - - C:\Program Files\VideoLAN\VLC\locale\tr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tr\
        5⤵
        
        PID:1840
    - - C:\Program Files\VideoLAN\VLC\locale\ug\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ug\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ug\
        5⤵
        
        PID:2780
    - - C:\Program Files\VideoLAN\VLC\locale\uk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\uk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\uk\
        5⤵
        
        PID:1412
  - - C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
      "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
      4⤵
      PID:1864
  - - C:\Program Files\VideoLAN\VLC\lua\backup.exe
      "C:\Program Files\VideoLAN\VLC\lua\backup.exe" C:\Program Files\VideoLAN\VLC\lua\
      4⤵
      PID:1888
    - - C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe" C:\Program Files\VideoLAN\VLC\lua\extensions\
        5⤵
        
        PID:1624
    - - C:\Program Files\VideoLAN\VLC\lua\http\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:296
      - C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\
        6⤵
        
        PID:2044
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\
        7⤵
        
        PID:804
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\data.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\data.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\
        8⤵
        
        PID:1100
      - C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\dialogs\
        6⤵
        
        PID:2332
      - C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\images\
        6⤵
        
        PID:2932
      - C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\js\
        6⤵
        
        PID:2576
      - C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\requests\
        6⤵
        
        PID:488
    - - C:\Program Files\VideoLAN\VLC\lua\intf\data.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\data.exe" C:\Program Files\VideoLAN\VLC\lua\intf\
        5⤵
        
        PID:3024
      - C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\modules\
        6⤵
        
        PID:2256
    - - C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\
        5⤵
        
        PID:2628
    - - C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\modules\
        5⤵
        
        PID:2868
    - - C:\Program Files\VideoLAN\VLC\lua\playlist\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\backup.exe" C:\Program Files\VideoLAN\VLC\lua\playlist\
        5⤵
        
        PID:1032
    - - C:\Program Files\VideoLAN\VLC\lua\sd\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\sd\backup.exe" C:\Program Files\VideoLAN\VLC\lua\sd\
        5⤵
        
        PID:2604
  - - C:\Program Files\VideoLAN\VLC\plugins\backup.exe
      "C:\Program Files\VideoLAN\VLC\plugins\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\
      4⤵
      PID:288
    - - C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
        5⤵
        
        PID:3004
    - - C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access_output\
        5⤵
        
        PID:1200
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_filter\
        5⤵
        
        PID:292
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\
        5⤵
        
        PID:1764
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_output\
        5⤵
        
        PID:2124
    - - C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\codec\
        5⤵
        
        PID:580
    - - C:\Program Files\VideoLAN\VLC\plugins\control\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\control\
        5⤵
        
        PID:2192
    - - C:\Program Files\VideoLAN\VLC\plugins\d3d11\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\d3d11\
        5⤵
        
        PID:2680
  - - C:\Program Files\VideoLAN\VLC\skins\backup.exe
      "C:\Program Files\VideoLAN\VLC\skins\backup.exe" C:\Program Files\VideoLAN\VLC\skins\
      4⤵
      PID:1700
    - - C:\Program Files\VideoLAN\VLC\skins\fonts\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\backup.exe" C:\Program Files\VideoLAN\VLC\skins\fonts\
        5⤵
        
        PID:612
- C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2100
- C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
  2⤵
  PID:540
- C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1888
- C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
  2⤵
  PID:1540
- - C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
    3⤵
    - Disables RegEdit via registry modification
    - Drops file in Program Files directory
    PID:1628
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
      4⤵
      PID:2372
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2156
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        5⤵
        
        PID:2196
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        5⤵
        
        PID:292
      - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
        6⤵
        
        PID:2232
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        5⤵
        
        PID:2344
      - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        6⤵
        
        PID:1332
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        7⤵
        
        PID:1892
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
        7⤵
        
        PID:2292
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
        8⤵
        
        PID:588
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
        8⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1268
      - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        6⤵
        
        PID:2436
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        7⤵
        
        PID:1252
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
        8⤵
        
        PID:696
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        5⤵
        
        PID:2232
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        5⤵
        
        PID:2916
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        5⤵
        
        PID:2472
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        5⤵
        
        PID:2200
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        5⤵
        
        PID:760
      - C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        6⤵
        
        PID:1720
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        5⤵
        
        PID:2028
      - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
        6⤵
        
        PID:760
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        5⤵
        
        PID:2748
    - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        5⤵
        
        PID:2844
      - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
        6⤵
        
        PID:2228
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
      4⤵
      PID:2756
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
      4⤵
      PID:2540
    - - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
        5⤵
        
        PID:2188
    - - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
        5⤵
        
        PID:2284
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
      4⤵
      PID:296
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
      4⤵
      PID:1508
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
      4⤵
      PID:2592
    - - C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        5⤵
        
        PID:488
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2696
  - - C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
      4⤵
      PID:3012
- - C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
    3⤵
    - Executes dropped EXE
    PID:2584
- C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
  2⤵
  PID:2316
- C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528
- C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2368
- C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1688
- C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
  2⤵
  PID:2796
- C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
  2⤵
  PID:1756
- C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
  2⤵
  - System policy modification
  PID:2296
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
    3⤵
    - System policy modification
    PID:1832
- C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
  2⤵
  PID:2584
- - C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
    3⤵
    PID:1560
- - C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1200
- - C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\data.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:840
- C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1808
- C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
  2⤵
  PID:2696
- C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
1⤵
PID:296
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
  2⤵
  - Disables RegEdit via registry modification
  PID:1300
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\data.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
  2⤵
  PID:1768
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
  2⤵
  PID:1700
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
  2⤵
  - Disables RegEdit via registry modification
  - System policy modification
  PID:612
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
  2⤵
  PID:1804
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1328
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
  2⤵
  PID:2536

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
1⤵
PID:2020
- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
  2⤵
  PID:3020
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
    3⤵
    PID:2536

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
1⤵
PID:3024

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
1⤵
- System policy modification
PID:2140
- C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
  2⤵
  PID:2760
- C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
  2⤵
  PID:2740
- C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
  2⤵
  PID:2184
- C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
  2⤵
  PID:2780
- C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
  2⤵
  - Disables RegEdit via registry modification
  PID:2880
- C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
  2⤵
  - Disables RegEdit via registry modification
  - System policy modification
  PID:2824

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
1⤵
PID:2660
- C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
  2⤵
  PID:1228
- C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
  2⤵
  PID:2632
- C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
  2⤵
  PID:2692
- C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
  2⤵
  PID:2612
- C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
  2⤵
  - Disables RegEdit via registry modification
  PID:2160
- C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
  2⤵
  PID:2716

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
1⤵
PID:2604
- C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
  2⤵
  PID:2900

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
1⤵
PID:1268

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
1⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1312
- C:\Program Files\Common Files\System\ado\en-US\backup.exe
  "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
  2⤵
  PID:1052
- C:\Program Files\Common Files\System\ado\de-DE\backup.exe
  "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
  2⤵
  PID:1496
- C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
  "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
  2⤵
  - System policy modification
  PID:1668
- C:\Program Files\Common Files\System\ado\it-IT\backup.exe
  "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
  2⤵
  PID:1216
- C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
  "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
  2⤵
  PID:1944
- C:\Program Files\Common Files\System\ado\es-ES\backup.exe
  "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:452

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
1⤵
- Drops file in Program Files directory
PID:2284
- C:\Program Files\Common Files\System\es-ES\System Restore.exe
  "C:\Program Files\Common Files\System\es-ES\System Restore.exe" C:\Program Files\Common Files\System\es-ES\
  2⤵
  PID:1832
- C:\Program Files\Common Files\System\ja-JP\backup.exe
  "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
  2⤵
  PID:2176
- C:\Program Files\Common Files\System\msadc\backup.exe
  "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
  2⤵
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  - System policy modification
  PID:2444
- - C:\Program Files\Common Files\System\msadc\es-ES\update.exe
    "C:\Program Files\Common Files\System\msadc\es-ES\update.exe" C:\Program Files\Common Files\System\msadc\es-ES\
    3⤵
    PID:1724
- - C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
    3⤵
    PID:1608
- - C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
    3⤵
    PID:2708
- - C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
    "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
    3⤵
    PID:2516
- - C:\Program Files\Common Files\System\msadc\en-US\backup.exe
    "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
    3⤵
    PID:1816
- C:\Program Files\Common Files\System\Ole DB\backup.exe
  "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
  2⤵
  - Drops file in Program Files directory
  PID:2808
- - C:\Program Files\Common Files\System\Ole DB\it-IT\System Restore.exe
    "C:\Program Files\Common Files\System\Ole DB\it-IT\System Restore.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
    3⤵
    - System policy modification
    PID:2184
- - C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
    3⤵
    PID:2780
- - C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
    3⤵
    PID:2872
- - C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    PID:2740
- - C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
    3⤵
    PID:2760
- C:\Program Files\Common Files\System\it-IT\backup.exe
  "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
  2⤵
  PID:1732
- C:\Program Files\Common Files\System\fr-FR\backup.exe
  "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
  2⤵
  - Disables RegEdit via registry modification
  PID:2192
- C:\Program Files\Common Files\System\en-US\backup.exe
  "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
  2⤵
  PID:1896
- C:\Program Files\Common Files\System\de-DE\backup.exe
  "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1600

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
1⤵
PID:832

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
1⤵
PID:2288

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
1⤵
PID:1692

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
1⤵
- System policy modification
PID:1976

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
1⤵
PID:812

C:\Program Files\Common Files\System\msadc\de-DE\update.exe
"C:\Program Files\Common Files\System\msadc\de-DE\update.exe" C:\Program Files\Common Files\System\msadc\de-DE\
1⤵
PID:1512

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
1⤵
PID:2824

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
1⤵
PID:2716

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
1⤵
PID:1580
- C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
  "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
  2⤵
  PID:2592
- - C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
    3⤵
    PID:2104
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
    3⤵
    PID:808
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
    3⤵
    PID:1132
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
    3⤵
    PID:3008
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
    3⤵
    PID:1940
- - C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
    3⤵
    PID:2400
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
      4⤵
      PID:2388
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
    3⤵
    PID:692
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
    3⤵
    PID:1728
- - C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
    3⤵
    PID:1884
- - C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2356
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
    3⤵
    PID:2360
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
    3⤵
    PID:636
- - C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
    3⤵
    PID:384
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
    3⤵
    PID:2068
- - C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
    3⤵
    PID:1440
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
    3⤵
    PID:1524
  - - C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\
      4⤵
      PID:2024
- - C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
    3⤵
    PID:1972
- - C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
    3⤵
    PID:628
- - C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
    3⤵
    PID:2712
  - - C:\Program Files\Java\jdk1.7.0_80\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
      4⤵
      Disables RegEdit via registry modification
      PID:628
    - - C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        5⤵
        
        PID:1952
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        6⤵
        
        PID:2812
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
        7⤵
        
        PID:1860
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
        8⤵
        
        PID:2448
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
        9⤵
        
        PID:1756
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:640
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        10⤵
        
        PID:2304
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        10⤵
        
        PID:2492
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        10⤵
        
        PID:3008
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        10⤵
        
        PID:1028
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
        8⤵
        
        PID:676
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
        7⤵
        
        PID:2644
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
        7⤵
        
        PID:2776
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
        7⤵
        
        PID:2588
        
        C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\
        7⤵
        
        PID:2132
    - - C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        5⤵
        
        PID:1540
    - - C:\Program Files\Java\jdk1.7.0_80\include\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\data.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:580
    - - C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        5⤵
        
        PID:1516
    - - C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        5⤵
        
        PID:700
- - C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
    3⤵
    PID:2388

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
1⤵
PID:1828

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
1⤵
PID:2860

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
1⤵
PID:2692

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
1⤵
PID:1228

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
1⤵
PID:2612

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
1⤵
PID:2520
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
  2⤵
  PID:2420

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:700

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
1⤵
PID:760

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
1⤵
PID:1612
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
  2⤵
  - Disables RegEdit via registry modification
  PID:2148
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
  2⤵
  PID:1412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
1⤵
PID:2636

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
1⤵
PID:3068

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
1⤵
PID:2912

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
1⤵
PID:1280
- C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
  2⤵
  PID:2416

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
1⤵
PID:1840

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:900

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
1⤵
PID:1252
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
  2⤵
  - System policy modification
  PID:3004
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
  2⤵
  PID:2436

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
1⤵
PID:1548
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
  2⤵
  PID:1268
- - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
    3⤵
    - Disables RegEdit via registry modification
    PID:696
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Drops file in Program Files directory
  PID:1040
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
    3⤵
    PID:636
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
    3⤵
    PID:640
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      Drops file in Program Files directory
      PID:636
    - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2356
    - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
        5⤵
        
        PID:1944
    - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
        5⤵
        
        PID:2488
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
    3⤵
    PID:2488
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
    3⤵
    PID:1944
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
    3⤵
    PID:1940
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
      4⤵
      PID:692
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        5⤵
        
        PID:2980
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        5⤵
        
        PID:2164
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
    3⤵
    PID:1768
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\data.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
      4⤵
      PID:1880
  - - C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
      "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
      4⤵
      PID:1704
  - - C:\Program Files\Java\jre7\bin\server\backup.exe
      "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
      4⤵
      PID:2864
  - - C:\Program Files\Java\jre7\bin\plugin2\backup.exe
      "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
      4⤵
      PID:2224
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
    3⤵
    PID:3020
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\data.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
      4⤵
      PID:2044
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Drops file in Program Files directory
    - System policy modification
    PID:2520
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
    3⤵
    PID:2844
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
    3⤵
    PID:764
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\data.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2748
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
    3⤵
    PID:1248
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
    3⤵
    - System policy modification
    PID:2028
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
    3⤵
    PID:2892
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
    3⤵
    PID:2820
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
    3⤵
    PID:2400
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
    3⤵
    PID:1484
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
    3⤵
    - Disables RegEdit via registry modification
    PID:1884
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
    3⤵
    PID:3008
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
    3⤵
    PID:2356
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
    3⤵
    PID:2472
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
      4⤵
      Disables RegEdit via registry modification
      System policy modification
      PID:2916
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:292

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
1⤵
PID:1480
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
  2⤵
  PID:640

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
1⤵
PID:1368

C:\Program Files\Internet Explorer\SIGNUP\data.exe
"C:\Program Files\Internet Explorer\SIGNUP\data.exe" C:\Program Files\Internet Explorer\SIGNUP\
1⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
- System policy modification
PID:1548
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Drops file in Program Files directory
  PID:1516
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1480
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
      4⤵
      PID:1372
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
      4⤵
      PID:3008
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
        5⤵
        Disables RegEdit via registry modification
        
        PID:1372
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
    3⤵
    PID:1148
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
      4⤵
      PID:1940
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
      4⤵
      PID:1264
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
      4⤵
      PID:2616
  - - C:\Program Files\Java\jre7\bin\backup.exe
      "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
      4⤵
      System policy modification
      PID:1768
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
    3⤵
    PID:1704
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
      4⤵
      PID:1616
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
    3⤵
    PID:2124
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
  2⤵
  PID:2344

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
1⤵
PID:812

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
1⤵
PID:2660

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
1⤵
PID:1868

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
1⤵
PID:2944

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
1⤵
PID:2952

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
1⤵
PID:2988

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
1⤵
PID:2196
- C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe
  "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
  2⤵
  PID:2780

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
1⤵
PID:1692
- C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
  2⤵
  PID:2600

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
1⤵
PID:980

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
1⤵
PID:2528
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
  2⤵
  PID:2628
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
  2⤵
  PID:2780

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
1⤵
PID:804
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\update.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
  2⤵
  PID:2188

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
1⤵
PID:1856
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
  2⤵
  PID:3068

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
1⤵
PID:2200
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
  2⤵
  PID:1868
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
  2⤵
  PID:1224

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
1⤵
PID:2792

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
1⤵
PID:1332
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
  2⤵
  PID:2268
- C:\Program Files\Microsoft Office\Office14\backup.exe
  "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
  2⤵
  PID:2592

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
1⤵
PID:2232

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
1⤵
PID:2796

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
1⤵
PID:2744

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
1⤵
PID:2764

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
1⤵
PID:3020
- C:\Program Files\Java\jre7\lib\amd64\backup.exe
  "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
  2⤵
  PID:2764
- C:\Program Files\Java\jre7\lib\cmm\backup.exe
  "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
  2⤵
  PID:2772
- C:\Program Files\Java\jre7\lib\fonts\update.exe
  "C:\Program Files\Java\jre7\lib\fonts\update.exe" C:\Program Files\Java\jre7\lib\fonts\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Program Files\Java\jre7\lib\management\backup.exe
  "C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
  2⤵
  PID:804
- C:\Program Files\Java\jre7\lib\zi\backup.exe
  "C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
  2⤵
  PID:1856
- - C:\Program Files\Java\jre7\lib\zi\America\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
    3⤵
    PID:1652
  - - C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
      "C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
      4⤵
      Disables RegEdit via registry modification
      PID:1868
  - - C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe
      "C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1540
  - - C:\Program Files\Java\jre7\lib\zi\America\Argentina\update.exe
      "C:\Program Files\Java\jre7\lib\zi\America\Argentina\update.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
      4⤵
      PID:1676
  - - C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe
      "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1596
- - C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
    3⤵
    PID:1996
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\
      4⤵
      PID:288
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\update.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\update.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\
      4⤵
      PID:376
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2712
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\
      4⤵
      PID:2076
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\data.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\data.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\
      4⤵
      PID:2112
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\
      4⤵
      PID:2256
  - - C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:2104
- - C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
    3⤵
    PID:1344
- - C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
    3⤵
    PID:2068
- - C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
    3⤵
    PID:2076
- - C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\
    3⤵
    PID:288
- - C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\
    3⤵
    PID:2268
- - C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
    3⤵
    PID:1280
- - C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
    3⤵
    - Drops file in Program Files directory
    - System policy modification
    PID:2344
- - C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
    3⤵
    PID:2104
- - C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
    "C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
    3⤵
    PID:2900
- - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
    "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - System policy modification
    PID:1944
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\
      4⤵
      PID:900
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\
      4⤵
      PID:1648
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\
      4⤵
      PID:2904
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\
      4⤵
      PID:1832
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\
      4⤵
      PID:912
    - - C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        5⤵
        
        PID:2144
    - - C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        5⤵
        
        PID:2904
      - C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
        6⤵
        
        PID:1808
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
      4⤵
      PID:1600
    - - C:\Program Files\Mozilla Firefox\gmp-clearkey\data.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\data.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        5⤵
        
        PID:2456
    - - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
    - - C:\Program Files\Mozilla Firefox\defaults\data.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\data.exe" C:\Program Files\Mozilla Firefox\defaults\
        5⤵
        
        PID:848
    - - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        5⤵
        
        PID:912
  - - C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
      4⤵
      PID:980
- - C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe
    "C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\
    3⤵
    PID:2696
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\
      4⤵
      PID:2120
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\data.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\data.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\
      4⤵
      PID:1616
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\
      4⤵
      PID:1700
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\
      4⤵
      Disables RegEdit via registry modification
      PID:2020
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\
      4⤵
      PID:2588
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      System policy modification
      PID:2616
- C:\Program Files\Java\jre7\lib\security\backup.exe
  "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
  2⤵
  PID:3048
- C:\Program Files\Java\jre7\lib\jfr\backup.exe
  "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
  2⤵
  PID:876
- C:\Program Files\Java\jre7\lib\images\backup.exe
  "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
  2⤵
  PID:552
- C:\Program Files\Java\jre7\lib\ext\backup.exe
  "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
  2⤵
  PID:2620
- C:\Program Files\Java\jre7\lib\deploy\System Restore.exe
  "C:\Program Files\Java\jre7\lib\deploy\System Restore.exe" C:\Program Files\Java\jre7\lib\deploy\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Program Files\Java\jre7\lib\applet\backup.exe
  "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:540

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
1⤵
PID:3008

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
1⤵
PID:2332

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
1⤵
PID:2700

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
1⤵
PID:1408
- C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
  2⤵
  PID:1264

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
1⤵
PID:3016

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
1⤵
PID:2964

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
1⤵
PID:288

C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
"C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628

C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
1⤵
PID:1960

C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
1⤵
PID:2792

C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
1⤵
- Disables RegEdit via registry modification
PID:2604

C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
1⤵
PID:2660

C:\Program Files\Microsoft Games\Minesweeper\en-US\data.exe
"C:\Program Files\Microsoft Games\Minesweeper\en-US\data.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
1⤵
PID:1204

C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
1⤵
PID:1828

C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\
1⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:2660

C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\System Restore.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
1⤵
PID:1356

C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\
1⤵
PID:1892

C:\Program Files\Microsoft Games\Solitaire\it-IT\data.exe
"C:\Program Files\Microsoft Games\Solitaire\it-IT\data.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\
1⤵
PID:2288

C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\
1⤵
PID:2232

C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\
1⤵
PID:2200

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
1⤵
- System policy modification
PID:2872
- C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\update.exe
  "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
  2⤵
  PID:1656
- C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
  "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
  2⤵
  - System policy modification
  PID:2752

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
1⤵
PID:2716

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
1⤵
PID:1640

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
1⤵
PID:1540

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
1⤵
PID:1596

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
1⤵
- Drops file in Program Files directory
PID:2156

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
1⤵
PID:2652

C:\Program Files\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
1⤵
PID:2888

C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
1⤵
PID:2572

C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
1⤵
PID:1636

C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\
1⤵
PID:1812

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Modifies visibility of file extensions in Explorer
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\backup.exe

Filesize
72KB

MD5
2eb44db0a66d11d2cc4c5cc4aaa17aea

SHA1
c8764a8f059ead06701b94fe555ba4e41eb697c2

SHA256
0e20de7c0f29263bff6efdfd391f0deaee593cefd99e06b92c2c3e712e7ac5dd

SHA512
5e91759775a6cbaf1531235f9015e7b62e87b4d76f63bee6df2f652919ec04f672815e059d2dfa9dbb293da7d39c5866eb61a88bfe0b0e6fcd61e451ab6f42ee

Download Submit
C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
1f30d18fa87b51f11f13ab5cff4353f9

SHA1
396fcf1a4faa70dfe2046968e0e90fbd83ee4943

SHA256
2bbdc3595c5eacb261512f74abf3447654dea02f3b2f02ba11f395fe5f5c9663

SHA512
5dce355d1ecfaa5d74060d7f04e0f82cc9eca7b1547a92178796b79a145bd88f84a002e5ffd3e1e1e95ef95056aebbf632f12c3f7c4bd2fbe242539370dde922

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
76c0258aa339a634b828c40f9c69d4fc

SHA1
5c772b7979901648ad26d47bd3b383ecf88fb73a

SHA256
f1c29557e526016bece972d59d9485ad7c4e1dd327fcb65768e14235693cd6a9

SHA512
5f90f5909604656e441749b46e9a371d9ff2f15fff31ae2c5d2ffc1b859cbd944d7c819214d7fa814387434dac817ec593c2ab23734ab657531717128f405070

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
cd9796f30290b1041083cb9b5c42b675

SHA1
2aaf3a1b1b98e0da59428aa296b61885fca78f01

SHA256
3be04ef673af68d90035e178b89d490fd5f27b6b7db638d127d42c0402166bd3

SHA512
886523bdc7a005ef91757c909cee4ea9a791792bff423bab23c771ee12e34e733f4631516f833b76552e18c5169ed643c5c469897d96d9360978f255456e3f71

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
c913e9e7aa55feca64920fe6a58b9ceb

SHA1
5e163e4fc5ca5500d585c291b356aa94f4ffd4df

SHA256
8e14f354ff6952571a48f61aa29ed0baf5d466ae6e0a3f36df82da2678c27962

SHA512
e91c0eb57ad236153b9ad9c6cb8bb41819c522182edda4949e2aa3164090e8a66ddef98d9039439deefb6d273d45db6b6b7e38ca5f1a539de317249dff9bac11

Download Submit
\Users\Admin\AppData\Local\Temp\2676121189\backup.exe

Filesize
72KB

MD5
f380bab43f5725c7e2fac5a24b0c9d7d

SHA1
c99245539875adc479762ad39f357c8f30fec46d

SHA256
afd0ac27c614834dee207e7bfc487ece4e56beeac6f6581ebb6108cc2167a3ed

SHA512
a2736bb23d90bc60c0e3e01eca02d6e6f31de6ecfe52b4b2e49063abaa06d3fa69b5697448e880d992e5925a68368598566dd30dc02a0e18b1fbac4b67e0d165

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\backup.exe

Filesize
72KB

MD5
fec5c1691cd92395ca9d0831b0194ec1

SHA1
1e01fe9c239e304d8f3091a0ddb124caae31c4c3

SHA256
6788ba9db0b22bc28cfd34d80fd48123711378ee9d1dafc7c57138cb204a091e

SHA512
765537cf992d56a1d0e6cab8f5fd5ce02fdc3c444e67b62082493c6577c84d3b153bfc1121d5e60a9fd7d93755efb3c003b5aa1e4fc5b857c7b67b62d0f9bdca

Download Submit
memory/2020-613-0x0000000002AE0000-0x0000000002BF0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-119-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads