56acb28d2594c1ebe1ffa58e68b495b4a060d004d1b9056c07f65d1d5234abd1

Analysis

max time kernel
17s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e7b701b8d7f7abfabd7543108cdfb5e.exe
Size

72KB
MD5

1e7b701b8d7f7abfabd7543108cdfb5e
SHA1

050db431a255427ed586c606d88069ffc65aa83a
SHA256

56acb28d2594c1ebe1ffa58e68b495b4a060d004d1b9056c07f65d1d5234abd1
SHA512

49b68801ee28795e07f6ab65c2a3b8214b76bb00e5c5fb1cdeea152183df5e852d3303a63f2a7274a79abc97dc2f9ce3dc96c863dbf2ff100e9d6fa3fafdf0a2
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2I:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrE

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WMIADAP.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	wmiprvse.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
1824	backup.exe
2328	backup.exe
2808	backup.exe
2728	System Restore.exe
2880	backup.exe
2740	backup.exe
2596	update.exe
3024	backup.exe
1676	backup.exe
320	backup.exe
2832	backup.exe
2516	backup.exe
2520	backup.exe
2700	backup.exe
1384	System Restore.exe
2300	backup.exe
2928	backup.exe
2276	backup.exe
572	backup.exe
2124	backup.exe
792	backup.exe
2224	backup.exe
2444	backup.exe
344	backup.exe
1692	backup.exe
776	backup.exe
2332	backup.exe
916	backup.exe
1752	backup.exe
2568	backup.exe
2344	backup.exe
1732	backup.exe
888	System Restore.exe
1988	backup.exe
2736	backup.exe
2824	backup.exe
2656	backup.exe
2644	backup.exe
2936	backup.exe
2240	backup.exe
1620	backup.exe
2892	backup.exe
1676	backup.exe
1964	backup.exe
2820	backup.exe
3064	backup.exe
1032	backup.exe
1716	backup.exe
2168	data.exe
2264	backup.exe
1204	backup.exe
1448	backup.exe
2080	backup.exe
2784	backup.exe
596	System Restore.exe
600	data.exe
848	backup.exe
2124	backup.exe
2424	backup.exe
1164	backup.exe
2440	backup.exe
2536	update.exe
1700	backup.exe
1692	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2996	backup.exe
2596	update.exe
2596	update.exe
2996	backup.exe
2996	backup.exe
1676	backup.exe
1676	backup.exe
2996	backup.exe
2996	backup.exe
2516	backup.exe
2516	backup.exe
2520	backup.exe
2520	backup.exe
2516	backup.exe
2516	backup.exe
1384	System Restore.exe
1384	System Restore.exe
2300	backup.exe
2300	backup.exe
1384	System Restore.exe
1384	System Restore.exe
2276	backup.exe
2276	backup.exe
572	backup.exe
572	backup.exe
572	backup.exe
572	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe
792	backup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\System\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe	Process not Found
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe	Process not Found
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\data.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2996	backup.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2996	backup.exe
1824	backup.exe
2328	backup.exe
2808	backup.exe
2728	System Restore.exe
2880	backup.exe
2740	backup.exe
2596	update.exe
3024	backup.exe
1676	backup.exe
320	backup.exe
2832	backup.exe
2516	backup.exe
2520	backup.exe
2700	backup.exe
1384	System Restore.exe
2300	backup.exe
2928	backup.exe
2276	backup.exe
572	backup.exe
2124	backup.exe
792	backup.exe
2224	backup.exe
2444	backup.exe
344	backup.exe
1692	backup.exe
776	backup.exe
2332	backup.exe
916	backup.exe
1752	backup.exe
2568	backup.exe
2344	backup.exe
1732	backup.exe
888	System Restore.exe
1988	backup.exe
2736	backup.exe
2824	backup.exe
2656	backup.exe
2644	backup.exe
2936	backup.exe
2240	backup.exe
1620	backup.exe
2892	backup.exe
1676	backup.exe
1964	backup.exe
2820	backup.exe
3064	backup.exe
1032	backup.exe
1716	backup.exe
2168	data.exe
2264	backup.exe
1204	backup.exe
1448	backup.exe
2080	backup.exe
2784	backup.exe
596	System Restore.exe
600	data.exe
848	backup.exe
2124	backup.exe
2424	backup.exe
1164	backup.exe
2440	backup.exe
2536	update.exe
1700	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 1824	2996	backup.exe	365
PID 2996 wrote to memory of 1824	2996	backup.exe	365
PID 2996 wrote to memory of 1824	2996	backup.exe	365
PID 2996 wrote to memory of 1824	2996	backup.exe	365
PID 2996 wrote to memory of 2328	2996	backup.exe	364
PID 2996 wrote to memory of 2328	2996	backup.exe	364
PID 2996 wrote to memory of 2328	2996	backup.exe	364
PID 2996 wrote to memory of 2328	2996	backup.exe	364
PID 2996 wrote to memory of 2808	2996	backup.exe	363
PID 2996 wrote to memory of 2808	2996	backup.exe	363
PID 2996 wrote to memory of 2808	2996	backup.exe	363
PID 2996 wrote to memory of 2808	2996	backup.exe	363
PID 2996 wrote to memory of 2728	2996	backup.exe	395
PID 2996 wrote to memory of 2728	2996	backup.exe	395
PID 2996 wrote to memory of 2728	2996	backup.exe	395
PID 2996 wrote to memory of 2728	2996	backup.exe	395
PID 2996 wrote to memory of 2880	2996	backup.exe	361
PID 2996 wrote to memory of 2880	2996	backup.exe	361
PID 2996 wrote to memory of 2880	2996	backup.exe	361
PID 2996 wrote to memory of 2880	2996	backup.exe	361
PID 2996 wrote to memory of 2740	2996	backup.exe	595
PID 2996 wrote to memory of 2740	2996	backup.exe	595
PID 2996 wrote to memory of 2740	2996	backup.exe	595
PID 2996 wrote to memory of 2740	2996	backup.exe	595
PID 2996 wrote to memory of 2596	2996	backup.exe	618
PID 2996 wrote to memory of 2596	2996	backup.exe	618
PID 2996 wrote to memory of 2596	2996	backup.exe	618
PID 2996 wrote to memory of 2596	2996	backup.exe	618
PID 2596 wrote to memory of 3024	2596	update.exe	459
PID 2596 wrote to memory of 3024	2596	update.exe	459
PID 2596 wrote to memory of 3024	2596	update.exe	459
PID 2596 wrote to memory of 3024	2596	update.exe	459
PID 2996 wrote to memory of 1676	2996	backup.exe	555
PID 2996 wrote to memory of 1676	2996	backup.exe	555
PID 2996 wrote to memory of 1676	2996	backup.exe	555
PID 2996 wrote to memory of 1676	2996	backup.exe	555
PID 1676 wrote to memory of 320	1676	backup.exe	665
PID 1676 wrote to memory of 320	1676	backup.exe	665
PID 1676 wrote to memory of 320	1676	backup.exe	665
PID 1676 wrote to memory of 320	1676	backup.exe	665
PID 2996 wrote to memory of 2832	2996	backup.exe	964
PID 2996 wrote to memory of 2832	2996	backup.exe	964
PID 2996 wrote to memory of 2832	2996	backup.exe	964
PID 2996 wrote to memory of 2832	2996	backup.exe	964
PID 1824 wrote to memory of 2516	1824	backup.exe	358
PID 1824 wrote to memory of 2516	1824	backup.exe	358
PID 1824 wrote to memory of 2516	1824	backup.exe	358
PID 1824 wrote to memory of 2516	1824	backup.exe	358
PID 2516 wrote to memory of 2520	2516	backup.exe	357
PID 2516 wrote to memory of 2520	2516	backup.exe	357
PID 2516 wrote to memory of 2520	2516	backup.exe	357
PID 2516 wrote to memory of 2520	2516	backup.exe	357
PID 2520 wrote to memory of 2700	2520	backup.exe	891
PID 2520 wrote to memory of 2700	2520	backup.exe	891
PID 2520 wrote to memory of 2700	2520	backup.exe	891
PID 2520 wrote to memory of 2700	2520	backup.exe	891
PID 2516 wrote to memory of 1384	2516	backup.exe	355
PID 2516 wrote to memory of 1384	2516	backup.exe	355
PID 2516 wrote to memory of 1384	2516	backup.exe	355
PID 2516 wrote to memory of 1384	2516	backup.exe	355
PID 1384 wrote to memory of 2300	1384	System Restore.exe	818
PID 1384 wrote to memory of 2300	1384	System Restore.exe	818
PID 1384 wrote to memory of 2300	1384	System Restore.exe	818
PID 1384 wrote to memory of 2300	1384	System Restore.exe	818

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe

C:\Users\Admin\AppData\Local\Temp\1e7b701b8d7f7abfabd7543108cdfb5e.exe
"C:\Users\Admin\AppData\Local\Temp\1e7b701b8d7f7abfabd7543108cdfb5e.exe"
1⤵
PID:2996
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\
  2⤵
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\backup.exe
  C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\4223379495\backup.exe
  C:\Users\Admin\AppData\Local\Temp\4223379495\backup.exe C:\Users\Admin\AppData\Local\Temp\4223379495\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1824

C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\CRX_INSTALL\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_706045420\CRX_INSTALL\
1⤵
PID:320

C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2104_1603549830\CRX_INSTALL\
1⤵
PID:3024

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
1⤵
PID:572
- C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
  2⤵
  PID:2124
- C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
  2⤵
  PID:2816
- - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
    3⤵
    PID:2604
  - - C:\Program Files\Reference Assemblies\Microsoft\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
      4⤵
      PID:2000
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        5⤵
        
        PID:2168
      - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        6⤵
        
        PID:2724
      - C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\
        6⤵
        
        PID:1100
    - - C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        5⤵
        
        PID:2220
      - C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        6⤵
        
        PID:772
- C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
  2⤵
  PID:1612
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
    3⤵
    PID:2608
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
    3⤵
    PID:2636
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
    3⤵
    PID:2924
  - - C:\Program Files\Common Files\System\Ole DB\de-DE\data.exe
      "C:\Program Files\Common Files\System\Ole DB\de-DE\data.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
      4⤵
      PID:2636
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
    3⤵
    PID:2672
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
    3⤵
    PID:1724
- - C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
    3⤵
    PID:2616
  - - C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
      4⤵
      PID:1596
    - - C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
        5⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:816
      - C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\
        6⤵
        Drops file in Program Files directory
        
        PID:1956
      - C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2888
        
        C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
        7⤵
        
        PID:968
        
        C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1720
      - C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\
        6⤵
        
        PID:804
        
        C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:888
      - C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\
        6⤵
        
        PID:1840
        
        C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\
        7⤵
        
        PID:2828
      - C:\Program Files\VideoLAN\VLC\locale\gu\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\update.exe" C:\Program Files\VideoLAN\VLC\locale\gu\
        6⤵
        
        PID:1048
      - C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
        6⤵
        System policy modification
        
        PID:972
      - C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1280
      - C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\
        6⤵
        
        PID:2576
        
        C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\
        7⤵
        
        PID:932
      - C:\Program Files\VideoLAN\VLC\locale\ka\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ka\
        6⤵
        
        PID:2224
        
        C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:924
      - C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\
        6⤵
        
        PID:2840
        
        C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
        
        C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\
        7⤵
        
        PID:2528
        
        C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\
        8⤵
        
        PID:2264
      - C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\
        6⤵
        
        PID:1616
        
        C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
        7⤵
        System policy modification
        
        PID:3028
      - C:\Program Files\VideoLAN\VLC\locale\mai\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mai\update.exe" C:\Program Files\VideoLAN\VLC\locale\mai\
        6⤵
        
        PID:488
        
        C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\
        7⤵
        
        PID:2208
      - C:\Program Files\VideoLAN\VLC\locale\mk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mk\
        6⤵
        System policy modification
        
        PID:2184
        
        C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\
        7⤵
        System policy modification
        
        PID:1976
      - C:\Program Files\VideoLAN\VLC\locale\my\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\my\backup.exe" C:\Program Files\VideoLAN\VLC\locale\my\
        6⤵
        System policy modification
        
        PID:1780
      - C:\Program Files\VideoLAN\VLC\locale\ms\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ms\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ms\
        6⤵
        System policy modification
        
        PID:2840
      - C:\Program Files\VideoLAN\VLC\locale\mr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mr\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2644
      - C:\Program Files\VideoLAN\VLC\locale\mn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mn\
        6⤵
        
        PID:1988
      - C:\Program Files\VideoLAN\VLC\locale\ml\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ml\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\
        6⤵
        
        PID:2076
      - C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\
        6⤵
        
        PID:108
      - C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\
        6⤵
        
        PID:1840
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\
        7⤵
        
        PID:2376
      - C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\
        6⤵
        
        PID:1712
      - C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
        6⤵
        
        PID:2820
      - C:\Program Files\VideoLAN\VLC\locale\nb\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nb\
        6⤵
        
        PID:1596
        
        C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\
        7⤵
        
        PID:1480
        
        C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\
        8⤵
        
        PID:1712
      - C:\Program Files\VideoLAN\VLC\locale\nn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nn\
        6⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:108
        
        C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\
        7⤵
        
        PID:2964
      - C:\Program Files\VideoLAN\VLC\locale\nl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nl\
        6⤵
        
        PID:2488
      - C:\Program Files\VideoLAN\VLC\locale\ne\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ne\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ne\
        6⤵
        
        PID:1476
      - C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
        6⤵
        
        PID:700
      - C:\Program Files\VideoLAN\VLC\locale\km\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\
        6⤵
        
        PID:1052
        
        C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\
        7⤵
        
        PID:2684
      - C:\Program Files\VideoLAN\VLC\locale\kk\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\data.exe" C:\Program Files\VideoLAN\VLC\locale\kk\
        6⤵
        
        PID:2012
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\
        7⤵
        
        PID:2008
      - C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\
        6⤵
        
        PID:2484
      - C:\Program Files\VideoLAN\VLC\locale\it\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\
        6⤵
        
        PID:2836
      - C:\Program Files\VideoLAN\VLC\locale\is\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\is\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\
        6⤵
        
        PID:2496
      - C:\Program Files\VideoLAN\VLC\locale\id\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\
        6⤵
        Drops file in Program Files directory
        
        PID:1708
      - C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\
        6⤵
        
        PID:2512
      - C:\Program Files\VideoLAN\VLC\locale\hu\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\update.exe" C:\Program Files\VideoLAN\VLC\locale\hu\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2312
      - C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1988
      - C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
        6⤵
        
        PID:1052
      - C:\Program Files\VideoLAN\VLC\locale\oc\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\oc\update.exe" C:\Program Files\VideoLAN\VLC\locale\oc\
        6⤵
        
        PID:2208
        
        C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\
        7⤵
        
        PID:3004
        
        C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\
        7⤵
        
        PID:1768
      - C:\Program Files\VideoLAN\VLC\locale\or\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\or\backup.exe" C:\Program Files\VideoLAN\VLC\locale\or\
        6⤵
        System policy modification
        
        PID:540
        
        C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\
        7⤵
        
        PID:2652
      - C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\
        6⤵
        
        PID:2676
      - C:\Program Files\VideoLAN\VLC\locale\pt_BR\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_BR\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_BR\
        6⤵
        
        PID:2724
        
        C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\
        7⤵
        
        PID:2588
      - C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pl\
        6⤵
        
        PID:1628
      - C:\Program Files\VideoLAN\VLC\locale\pa\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pa\
        6⤵
        
        PID:848
        
        C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1884
        
        C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        8⤵
        
        PID:2968
        
        C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        8⤵
        
        PID:1656
        
        C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        8⤵
        System policy modification
        
        PID:2692
        
        C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        8⤵
        
        PID:2128
        
        C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2444
        
        C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        8⤵
        Drops file in Program Files directory
        
        PID:2872
        
        C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        8⤵
        
        PID:1712
        
        C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2784
        
        C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        8⤵
        
        PID:2668
        
        C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        7⤵
        System policy modification
        
        PID:1784
        
        C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1480
        
        C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        9⤵
        Disables RegEdit via registry modification
        
        PID:884
        
        C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2324
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        9⤵
        
        PID:2492
        
        C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        8⤵
        
        PID:2656
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        9⤵
        
        PID:2924
      - C:\Program Files\VideoLAN\VLC\locale\pt_PT\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_PT\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_PT\
        6⤵
        
        PID:2576
        
        C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\
        7⤵
        
        PID:2080
      - C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\
        6⤵
        
        PID:1932
        
        C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\
        7⤵
        
        PID:1036
      - C:\Program Files\VideoLAN\VLC\locale\si\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\si\backup.exe" C:\Program Files\VideoLAN\VLC\locale\si\
        6⤵
        
        PID:2372
        
        C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\
        7⤵
        
        PID:1848
      - C:\Program Files\VideoLAN\VLC\locale\ro\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ro\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ro\
        6⤵
        
        PID:1480
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:1344
      - C:\Program Files\VideoLAN\VLC\locale\sq\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sq\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sq\
        6⤵
        System policy modification
        
        PID:556
        
        C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:280
      - C:\Program Files\VideoLAN\VLC\locale\sl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sl\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:344
      - C:\Program Files\VideoLAN\VLC\locale\sk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sk\
        6⤵
        
        PID:1608
      - C:\Program Files\VideoLAN\VLC\locale\te\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\te\backup.exe" C:\Program Files\VideoLAN\VLC\locale\te\
        6⤵
        System policy modification
        
        PID:2296
      - C:\Program Files\VideoLAN\VLC\locale\ta\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ta\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ta\
        6⤵
        
        PID:968
      - C:\Program Files\VideoLAN\VLC\locale\sv\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sv\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\sv\
        6⤵
        
        PID:2348
      - C:\Program Files\VideoLAN\VLC\locale\tet\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tet\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tet\
        6⤵
        
        PID:2288
        
        C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\
        7⤵
        
        PID:2072
      - C:\Program Files\VideoLAN\VLC\locale\sr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sr\
        6⤵
        
        PID:916
      - C:\Program Files\VideoLAN\VLC\locale\tl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tl\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2796
        
        C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\
        7⤵
        
        PID:884
      - C:\Program Files\VideoLAN\VLC\locale\tr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tr\
        6⤵
        
        PID:1848
        
        C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\
        7⤵
        
        PID:2688
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\
        8⤵
        
        PID:2012
      - C:\Program Files\VideoLAN\VLC\locale\th\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\th\backup.exe" C:\Program Files\VideoLAN\VLC\locale\th\
        6⤵
        
        PID:1872
      - C:\Program Files\VideoLAN\VLC\locale\ug\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ug\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ug\
        6⤵
        
        PID:948
        
        C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\
        7⤵
        
        PID:332
      - C:\Program Files\VideoLAN\VLC\locale\uz\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\uz\backup.exe" C:\Program Files\VideoLAN\VLC\locale\uz\
        6⤵
        
        PID:3016
        
        C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\
        7⤵
        
        PID:2120
      - C:\Program Files\VideoLAN\VLC\locale\uk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\uk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\uk\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2208
      - C:\Program Files\VideoLAN\VLC\locale\vi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\vi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\vi\
        6⤵
        
        PID:2668
        
        C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\
        7⤵
        
        PID:2804
      - C:\Program Files\VideoLAN\VLC\locale\wa\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\wa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\wa\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2528
      - C:\Program Files\VideoLAN\VLC\locale\zu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\zu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\zu\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1204
      - C:\Program Files\VideoLAN\VLC\locale\zh_TW\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\zh_TW\backup.exe" C:\Program Files\VideoLAN\VLC\locale\zh_TW\
        6⤵
        
        PID:1032
      - C:\Program Files\VideoLAN\VLC\locale\zh_CN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\zh_CN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\zh_CN\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2672
    - - C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2740
    - - C:\Program Files\Microsoft Games\More Games\es-ES\System Restore.exe
        
        "C:\Program Files\Microsoft Games\More Games\es-ES\System Restore.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
        5⤵
        
        PID:2656
    - - C:\Program Files\Microsoft Games\More Games\en-US\System Restore.exe
        
        "C:\Program Files\Microsoft Games\More Games\en-US\System Restore.exe" C:\Program Files\Microsoft Games\More Games\en-US\
        5⤵
        
        PID:1548
    - - C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
        5⤵
        
        PID:2240
- C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:3036
- C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
  2⤵
  PID:356
- C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
  2⤵
  PID:1932
- C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
  2⤵
  PID:1800
- C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
  2⤵
  - System policy modification
  PID:820
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
  2⤵
  PID:2724
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
    3⤵
    PID:1784
  - - C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
      4⤵
      PID:2576
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
    3⤵
    PID:2220
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
    3⤵
    - Disables RegEdit via registry modification
    - System policy modification
    PID:1536
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
    3⤵
    PID:2776
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
    3⤵
    PID:2596
- - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
    "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
    3⤵
    PID:2788
- C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
  2⤵
  PID:916
- C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
  "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:792
- C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
  "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
  2⤵
  PID:2692

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
1⤵
PID:2224

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
1⤵
PID:1988

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
1⤵
PID:2736

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
1⤵
PID:2656
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\data.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
  2⤵
  PID:1520

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
1⤵
PID:2644

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
1⤵
PID:2240

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
1⤵
PID:2892

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
1⤵
PID:1964

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
1⤵
PID:3064

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
1⤵
PID:1032

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
1⤵
PID:2168

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
1⤵
PID:1204

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
1⤵
PID:2080

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
1⤵
PID:596
- C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe
  "C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\
  2⤵
  PID:352
- C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe
  "C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\
  2⤵
  PID:1440
- C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe
  "C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\
  2⤵
  PID:1476
- - C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\System Restore.exe
    "C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\
    3⤵
    PID:696

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
1⤵
PID:848

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
1⤵
PID:2424

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
1⤵
PID:1692

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
1⤵
PID:1700

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
1⤵
PID:620

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
1⤵
PID:1752

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
1⤵
PID:2344

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
1⤵
PID:1240
- C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
  2⤵
  PID:2204

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
1⤵
PID:2184
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
  2⤵
  PID:412
- - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
    3⤵
    PID:2388
  - - C:\Program Files\MSBuild\Microsoft\backup.exe
      "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
      4⤵
      PID:412
    - - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        5⤵
        
        PID:1052
- - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
    3⤵
    PID:2308

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
1⤵
PID:2312
- C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\
  2⤵
  PID:1628
- - C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\data.exe
    "C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\
    3⤵
    PID:2804

C:\Program Files\Common Files\System\ado\update.exe
"C:\Program Files\Common Files\System\ado\update.exe" C:\Program Files\Common Files\System\ado\
1⤵
PID:2232
- C:\Program Files\Common Files\System\ado\de-DE\data.exe
  "C:\Program Files\Common Files\System\ado\de-DE\data.exe" C:\Program Files\Common Files\System\ado\de-DE\
  2⤵
  PID:2960
- C:\Program Files\Common Files\System\ado\it-IT\backup.exe
  "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
  2⤵
  PID:2408
- C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
  2⤵
  PID:2188
- - C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
    3⤵
    PID:1788

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
1⤵
PID:1656
- C:\Program Files\Common Files\System\de-DE\backup.exe
  "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
  2⤵
  PID:1760
- C:\Program Files\Common Files\System\fr-FR\backup.exe
  "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
  2⤵
  PID:1808
- C:\Program Files\Common Files\System\msadc\backup.exe
  "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
  2⤵
  PID:2648
- - C:\Program Files\Common Files\System\msadc\en-US\backup.exe
    "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
    3⤵
    PID:1624
- - C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
    3⤵
    PID:2608
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
      4⤵
      PID:1516
- - C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
    "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
    3⤵
    PID:2672
- - C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
    3⤵
    PID:1636
  - - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\
      4⤵
      Drops file in Program Files directory
      PID:2228
  - - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\
      4⤵
      PID:1044
- - C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
    "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
    3⤵
    PID:2596
- - C:\Program Files\Common Files\System\msadc\de-DE\data.exe
    "C:\Program Files\Common Files\System\msadc\de-DE\data.exe" C:\Program Files\Common Files\System\msadc\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    PID:2680
- C:\Program Files\Common Files\System\Ole DB\backup.exe
  "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
  2⤵
  PID:2924
- - C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
    3⤵
    PID:752
- - C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
    3⤵
    PID:3004
- - C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
    3⤵
    PID:2508
- - C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
    3⤵
    PID:1724
- - C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
    "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
    3⤵
    PID:2616
- C:\Program Files\Common Files\System\ja-JP\backup.exe
  "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
  2⤵
  PID:2948
- - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
    3⤵
    PID:1756
- C:\Program Files\Common Files\System\it-IT\backup.exe
  "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:2628
- C:\Program Files\Common Files\System\es-ES\backup.exe
  "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
  2⤵
  PID:1968
- C:\Program Files\Common Files\System\en-US\backup.exe
  "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
  2⤵
  PID:2104

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
1⤵
PID:1064
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
  2⤵
  PID:1368

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
1⤵
PID:1516

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
1⤵
PID:2548

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
1⤵
PID:1164

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
1⤵
- Disables RegEdit via registry modification
PID:844

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
1⤵
PID:1968

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
1⤵
PID:916

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
1⤵
PID:2880

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
1⤵
PID:2936

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
1⤵
PID:2724

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
1⤵
PID:2948

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
1⤵
PID:320
- C:\Program Files\Google\Chrome\Application\update.exe
  "C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
  2⤵
  PID:1040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
1⤵
PID:2600
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\data.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
  2⤵
  PID:1300
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\data.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
  2⤵
  PID:1712
- - C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\
    3⤵
    PID:2172
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
  2⤵
  PID:2664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
1⤵
PID:1204
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
  2⤵
  PID:2544
- C:\Program Files\Java\jre7\bin\System Restore.exe
  "C:\Program Files\Java\jre7\bin\System Restore.exe" C:\Program Files\Java\jre7\bin\
  2⤵
  PID:356
- - C:\Program Files\Java\jre7\bin\server\backup.exe
    "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
    3⤵
    PID:312
- - C:\Program Files\Java\jre7\bin\plugin2\backup.exe
    "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
    3⤵
    - Drops file in Program Files directory
    - System policy modification
    PID:1040
- - C:\Program Files\Java\jre7\bin\dtplugin\data.exe
    "C:\Program Files\Java\jre7\bin\dtplugin\data.exe" C:\Program Files\Java\jre7\bin\dtplugin\
    3⤵
    PID:2928

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
1⤵
PID:848

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
1⤵
PID:2488

C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe
"C:\Program Files\Internet Explorer\SIGNUP\System Restore.exe" C:\Program Files\Internet Explorer\SIGNUP\
1⤵
PID:2008

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
1⤵
PID:1700
- C:\Program Files\Java\jdk1.7.0_80\db\System Restore.exe
  "C:\Program Files\Java\jdk1.7.0_80\db\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\db\
  2⤵
  PID:1268
- - C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
    3⤵
    PID:2408
- - C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
    3⤵
    PID:1012
  - - C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\data.exe
      "C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
      4⤵
      PID:2004
- C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
  2⤵
  PID:1432
- - C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
    3⤵
    PID:1596
  - - C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
      4⤵
      PID:2632
  - - C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
      4⤵
      PID:1768
    - - C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
        5⤵
        
        PID:2644
      - C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\
        6⤵
        
        PID:2620
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        5⤵
        
        PID:2220
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        6⤵
        
        PID:2576
      - C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
        6⤵
        
        PID:2776
      - C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2716
      - C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
        6⤵
        
        PID:2720
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        5⤵
        
        PID:1204
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3000
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        6⤵
        
        PID:1772
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        6⤵
        
        PID:2836
        
        C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
        7⤵
        
        PID:2584
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:600
      - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        6⤵
        
        PID:572
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        7⤵
        
        PID:1164
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        7⤵
        
        PID:1976
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        8⤵
        
        PID:2292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        8⤵
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        8⤵
        
        PID:2692
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        5⤵
        
        PID:2796
  - - C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
      4⤵
      PID:1560
- - C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
    3⤵
    PID:2236
- C:\Program Files\Java\jdk1.7.0_80\lib\update.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
  2⤵
  PID:1292
- - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
    3⤵
    PID:488
  - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
      4⤵
      PID:2184
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
        5⤵
        
        PID:1272
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
        5⤵
        
        PID:2004
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
        6⤵
        
        PID:296
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
        6⤵
        
        PID:2408
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
        5⤵
        
        PID:1528
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
        5⤵
        System policy modification
        
        PID:2352
  - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
      4⤵
      PID:1044
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
        5⤵
        
        PID:2212
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
        6⤵
        
        PID:2764
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
        5⤵
        
        PID:2120
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
        6⤵
        
        PID:2240
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
        5⤵
        
        PID:2656
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
        5⤵
        
        PID:2740
  - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
      4⤵
      PID:1280
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
        5⤵
        
        PID:3000
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
        6⤵
        
        PID:1888
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
        5⤵
        
        PID:1580
      - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
        6⤵
        
        PID:1772
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
        5⤵
        
        PID:1300
      - C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        7⤵
        
        PID:2608
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
        5⤵
        
        PID:1512
  - - C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2424
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
    3⤵
    PID:2640
- C:\Program Files\Java\jdk1.7.0_80\include\update.exe
  "C:\Program Files\Java\jdk1.7.0_80\include\update.exe" C:\Program Files\Java\jdk1.7.0_80\include\
  2⤵
  PID:2232
- - C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
    "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
    3⤵
    PID:1528
- - C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
    "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
    3⤵
    PID:620
- - C:\Program Files\Common Files\System\ado\es-ES\backup.exe
    "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
    3⤵
    PID:1628
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
      4⤵
      PID:1528
- - C:\Program Files\Common Files\System\ado\en-US\backup.exe
    "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
    3⤵
    PID:540
- C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
  2⤵
  PID:1692

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
1⤵
PID:2612
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\data.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
  2⤵
  PID:1668

C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
1⤵
PID:2660

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
1⤵
PID:2584

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
1⤵
PID:2284
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
  2⤵
  PID:1932
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
  2⤵
  PID:2928
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\update.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
  2⤵
  PID:356
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
    3⤵
    - System policy modification
    PID:2580
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
    3⤵
    PID:2548
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
    3⤵
    PID:1516
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
    3⤵
    PID:2268
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
    3⤵
    PID:752
- - C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
    3⤵
    PID:3004
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
  2⤵
  PID:1504
- C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
  2⤵
  PID:1932

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
1⤵
PID:2872
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
  2⤵
  PID:784
- - C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
    3⤵
    PID:2872
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
  2⤵
  PID:2976
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
  2⤵
  PID:2536
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\System Restore.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
  2⤵
  PID:2964
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
  2⤵
  PID:2424
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
  2⤵
  PID:2484
- - C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
    3⤵
    PID:1848
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
  2⤵
  PID:1156
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
  2⤵
  PID:1848
- C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
  2⤵
  PID:600

C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
1⤵
- Disables RegEdit via registry modification
PID:1740

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
1⤵
PID:312
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
  2⤵
  PID:968
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
    3⤵
    PID:2012
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
  2⤵
  PID:2100
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
    3⤵
    PID:3044
  - - C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
      4⤵
      PID:2788
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
    3⤵
    PID:2716
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
    3⤵
    PID:2668
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
    3⤵
    PID:1548
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
      4⤵
      PID:1676
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
    3⤵
    PID:2916
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
      4⤵
      PID:2852
  - - C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
      4⤵
      PID:2492
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
    3⤵
    PID:1644
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
      4⤵
      PID:2912
    - - C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        5⤵
        
        PID:2288
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
    3⤵
    PID:2268
  - - C:\Program Files\DVD Maker\Shared\System Restore.exe
      "C:\Program Files\DVD Maker\Shared\System Restore.exe" C:\Program Files\DVD Maker\Shared\
      4⤵
      PID:1668
  - - C:\Program Files\DVD Maker\ja-JP\backup.exe
      "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
      4⤵
      PID:1652
  - - C:\Program Files\DVD Maker\it-IT\backup.exe
      "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
      4⤵
      PID:2504
  - - C:\Program Files\DVD Maker\fr-FR\backup.exe
      "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
      4⤵
      Disables RegEdit via registry modification
      PID:640
  - - C:\Program Files\DVD Maker\es-ES\data.exe
      "C:\Program Files\DVD Maker\es-ES\data.exe" C:\Program Files\DVD Maker\es-ES\
      4⤵
      PID:2580
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
    3⤵
    PID:3024
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
    3⤵
    PID:1988
  - - C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
      4⤵
      PID:700
    - - C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\
        5⤵
        
        PID:1076
  - - C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\
      4⤵
      PID:1756
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\data.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
    3⤵
    PID:916
  - - C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
      4⤵
      PID:2720
  - - C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
      4⤵
      PID:2040
  - - C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
      4⤵
      PID:2684
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\update.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
    3⤵
    PID:2020
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
    3⤵
    PID:1008
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
    3⤵
    PID:1724
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
      4⤵
      PID:2508
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
    3⤵
    PID:352
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
      4⤵
      PID:2280
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
    3⤵
    PID:2584
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
      4⤵
      PID:2600
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
    3⤵
    PID:2876
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
      4⤵
      PID:336
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
    3⤵
    PID:2560
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
      4⤵
      PID:108
    - - C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\
        5⤵
        
        PID:2536
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
    3⤵
    PID:2316
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
      4⤵
      PID:1540
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:1688
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        
        PID:1272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:1076
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:2820
        
        C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
        9⤵
        
        PID:2220
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:2860
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:352
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:1544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1052
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:296
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        10⤵
        
        PID:1984
        
        C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\
        10⤵
        
        PID:568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:1064
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2232
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:2476
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:1276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:1756
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        
        PID:2812
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:1288
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2344
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:280
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1768
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        System policy modification
        
        PID:2096
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
    3⤵
    PID:2444
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
      4⤵
      PID:1688
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\data.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
    3⤵
    PID:764
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
      4⤵
      PID:1036
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\System Restore.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
    3⤵
    PID:2604
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
    3⤵
    PID:2448
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
  2⤵
  PID:2688
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
  2⤵
  PID:2204
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
    3⤵
    PID:2120
  - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
      4⤵
      PID:2776
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
        5⤵
        
        PID:2948
    - - C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
        5⤵
        
        PID:2612
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
    3⤵
    PID:280
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
      4⤵
      PID:1600
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
  2⤵
  - Drops file in Program Files directory
  PID:612
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
    3⤵
    PID:2740
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
      4⤵
      PID:2336
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
      4⤵
      PID:2672
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\
        5⤵
        
        PID:968
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1716
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\
        5⤵
        Disables RegEdit via registry modification
        
        PID:3020
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\
        5⤵
        
        PID:888
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\
        5⤵
        
        PID:772
      - C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        6⤵
        
        PID:2656
    - - C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\
        5⤵
        
        PID:1548
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
      4⤵
      PID:1676
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
    3⤵
    PID:1568
  - - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
      "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
      4⤵
      PID:1332
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
    3⤵
    PID:3004
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
    3⤵
    PID:3020

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
1⤵
PID:2216

C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
1⤵
PID:1712

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
1⤵
PID:1720

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
1⤵
PID:2912

C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
1⤵
PID:2640
- C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
  2⤵
  PID:2608

C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
1⤵
PID:2528

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
1⤵
PID:1636

C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
1⤵
PID:2240

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
1⤵
PID:2712

C:\Program Files\Java\update.exe
"C:\Program Files\Java\update.exe" C:\Program Files\Java\
1⤵
PID:2464
- C:\Program Files\Java\jre7\backup.exe
  "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
  2⤵
  PID:1204
- - C:\Program Files\Java\jre7\lib\backup.exe
    "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
    3⤵
    - Drops file in Program Files directory
    PID:2504
  - - C:\Program Files\Java\jre7\lib\amd64\System Restore.exe
      "C:\Program Files\Java\jre7\lib\amd64\System Restore.exe" C:\Program Files\Java\jre7\lib\amd64\
      4⤵
      PID:2448
  - - C:\Program Files\Java\jre7\lib\cmm\backup.exe
      "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
      4⤵
      PID:2368
  - - C:\Program Files\Java\jre7\lib\images\backup.exe
      "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
      4⤵
      PID:2084
  - - C:\Program Files\Java\jre7\lib\management\backup.exe
      "C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
      4⤵
      PID:2208
  - - C:\Program Files\Java\jre7\lib\zi\backup.exe
      "C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
      4⤵
      PID:2228
    - - C:\Program Files\Java\jre7\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
        5⤵
        
        PID:1788
      - C:\Program Files\Java\jre7\lib\zi\America\Argentina\data.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Argentina\data.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
        6⤵
        
        PID:2188
    - - C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
        5⤵
        
        PID:2688
    - - C:\Program Files\Java\jre7\lib\zi\Etc\update.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Etc\update.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
        5⤵
        
        PID:888
    - - C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
        5⤵
        
        PID:2888
    - - C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\
        5⤵
        
        PID:1632
  - - C:\Program Files\Java\jre7\lib\security\backup.exe
      "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
      4⤵
      PID:2076
    - - C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\
        5⤵
        System policy modification
        
        PID:1560
  - - C:\Program Files\Java\jre7\lib\jfr\backup.exe
      "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
      4⤵
      PID:2332
  - - C:\Program Files\Java\jre7\lib\fonts\backup.exe
      "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
      4⤵
      PID:948
  - - C:\Program Files\Java\jre7\lib\ext\backup.exe
      "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
      4⤵
      PID:412
  - - C:\Program Files\Java\jre7\lib\deploy\backup.exe
      "C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
      4⤵
      PID:1368
  - - C:\Program Files\Java\jre7\lib\applet\backup.exe
      "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
      4⤵
      PID:2136

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
1⤵
PID:2352
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
  2⤵
  PID:1688

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
1⤵
PID:2552
- C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\
  2⤵
  PID:1368

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
1⤵
PID:1544
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2384

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
1⤵
PID:1476

C:\Program Files\Internet Explorer\de-DE\data.exe
"C:\Program Files\Internet Explorer\de-DE\data.exe" C:\Program Files\Internet Explorer\de-DE\
1⤵
PID:488
- C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
  2⤵
  PID:884

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
1⤵
PID:2300
- C:\Program Files\7-Zip\Lang\backup.exe
  "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
1⤵
- System policy modification
PID:268

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
1⤵
PID:2828

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
1⤵
PID:1592

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
1⤵
PID:2104

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
1⤵
PID:1404

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
1⤵
PID:1528

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
1⤵
PID:2688

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
1⤵
PID:280
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
  2⤵
  PID:556
- - C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
    "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
    3⤵
    PID:2092

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
1⤵
PID:968

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\System Restore.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
1⤵
PID:2096
- C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\update.exe
  "C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\
  2⤵
  PID:1260
- - C:\Program Files\Windows Defender\de-DE\backup.exe
    "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
    3⤵
    PID:2684
- - C:\Program Files\Windows Defender\en-US\backup.exe
    "C:\Program Files\Windows Defender\en-US\backup.exe" C:\Program Files\Windows Defender\en-US\
    3⤵
    PID:2856
- - C:\Program Files\Windows Defender\es-ES\backup.exe
    "C:\Program Files\Windows Defender\es-ES\backup.exe" C:\Program Files\Windows Defender\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Drops file in Program Files directory
    - System policy modification
    PID:700
- - C:\Program Files\Windows Defender\fr-FR\backup.exe
    "C:\Program Files\Windows Defender\fr-FR\backup.exe" C:\Program Files\Windows Defender\fr-FR\
    3⤵
    PID:1960
- - C:\Program Files\Windows Defender\it-IT\backup.exe
    "C:\Program Files\Windows Defender\it-IT\backup.exe" C:\Program Files\Windows Defender\it-IT\
    3⤵
    - Drops file in Program Files directory
    PID:2740
- - C:\Program Files\Windows Defender\ja-JP\backup.exe
    "C:\Program Files\Windows Defender\ja-JP\backup.exe" C:\Program Files\Windows Defender\ja-JP\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2264

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\System Restore.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
1⤵
PID:2084
- C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
  "C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
  2⤵
  PID:1944

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
1⤵
PID:1976

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
1⤵
- System policy modification
PID:1004

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
1⤵
PID:2424

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
1⤵
PID:1956
- C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\update.exe
  "C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
  2⤵
  PID:2944

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
1⤵
PID:1968

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
1⤵
PID:2880
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
  2⤵
  - System policy modification
  PID:1800
- - C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
    "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
    3⤵
    PID:2488
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
  2⤵
  PID:2044
- C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
  "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
  2⤵
  PID:1620

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
1⤵
PID:1732

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
1⤵
PID:1664

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
1⤵
PID:336

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
1⤵
PID:2784

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
1⤵
PID:2608

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
1⤵
PID:1564
- C:\Program Files\Microsoft Office\Office14\backup.exe
  "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
  2⤵
  PID:2276

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
1⤵
PID:2912

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
1⤵
PID:2588

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
1⤵
PID:1068

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
1⤵
PID:884

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
1⤵
PID:2268

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
1⤵
PID:2872

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
1⤵
PID:2112

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
1⤵
PID:2136

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
1⤵
PID:2332

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
1⤵
PID:1268

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
1⤵
PID:2536

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
1⤵
PID:2440

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
1⤵
PID:1164

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
1⤵
PID:2124

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
1⤵
PID:600

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
1⤵
PID:2784

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
1⤵
PID:1448

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
1⤵
PID:2264

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
1⤵
PID:1716

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
1⤵
PID:2820

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
1⤵
PID:1676
- C:\Program Files\VideoLAN\VLC\locale\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
  2⤵
  PID:816
- - C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
    3⤵
    PID:2704
  - - C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
      4⤵
      System policy modification
      PID:2508
- - C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
    3⤵
    PID:2640
- - C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
    3⤵
    PID:320
- - C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
    3⤵
    PID:964
  - - C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
      4⤵
      Drops file in Program Files directory
      PID:412
- - C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
    3⤵
    PID:1784
  - - C:\Users\Public\Documents\backup.exe
      C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
      4⤵
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2996
  - - C:\Users\Public\Downloads\backup.exe
      C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
      4⤵
      PID:2064
- - C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3024
  - - C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
      4⤵
      PID:2228
    - - C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\
        5⤵
        
        PID:2336
    - - C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:768
    - - C:\Program Files\Java\jre7\lib\zi\Australia\update.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Australia\update.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2596
    - - C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
        5⤵
        System policy modification
        
        PID:2812
    - - C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
        5⤵
        
        PID:2948
    - - C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
        5⤵
        
        PID:2632
- - C:\Program Files\VideoLAN\VLC\locale\bs\data.exe
    "C:\Program Files\VideoLAN\VLC\locale\bs\data.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
    3⤵
    PID:2836
  - - C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1724
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
      4⤵
      PID:2276
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        5⤵
        
        PID:2564
- - C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
    3⤵
    PID:856
  - - C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
      4⤵
      PID:600
- - C:\Program Files\VideoLAN\VLC\locale\co\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\
    3⤵
    PID:784
- - C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
    3⤵
    PID:1948
  - - C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
      4⤵
      PID:2856
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
      4⤵
      PID:2044
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
      4⤵
      System policy modification
      PID:2664
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
      4⤵
      PID:2304
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
      4⤵
      PID:696
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
      4⤵
      PID:2172
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
      4⤵
      PID:2920
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
      4⤵
      PID:2724
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
      4⤵
      Drops file in Program Files directory
      PID:2100
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
      4⤵
      PID:2720
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        5⤵
        
        PID:1344
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\
        5⤵
        System policy modification
        
        PID:1596
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\
        5⤵
        
        PID:2064
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        5⤵
        
        PID:2852
  - - C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
      4⤵
      PID:2632
- - C:\Program Files\VideoLAN\VLC\locale\da\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\
    3⤵
    PID:3044
- - C:\Program Files\VideoLAN\VLC\locale\de\update.exe
    "C:\Program Files\VideoLAN\VLC\locale\de\update.exe" C:\Program Files\VideoLAN\VLC\locale\de\
    3⤵
    PID:2764
  - - C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\
      4⤵
      PID:768
- - C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\
    3⤵
    - Disables RegEdit via registry modification
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\
      4⤵
      PID:3020
- - C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
    3⤵
    PID:1280
  - - C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1516
  - - C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\
      4⤵
      PID:1672
- - C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
    3⤵
    PID:908
- - C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
    3⤵
    PID:948
  - - C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\
      4⤵
      PID:2324
- - C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
    3⤵
    PID:2212
  - - C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe
      "C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\
      4⤵
      PID:1404
- - C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2824
  - - C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\System Restore.exe
      "C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\
      4⤵
      PID:2632
- - C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
    3⤵
    PID:2096
- - C:\Program Files\VideoLAN\VLC\locale\et\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\
    3⤵
    PID:1048
- - C:\Program Files\VideoLAN\VLC\locale\el\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\
    3⤵
    PID:3028
- - C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
    3⤵
    PID:1012
- - C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\
    3⤵
    PID:488
- - C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
    3⤵
    PID:2968
- - C:\Program Files\VideoLAN\VLC\locale\bn_IN\update.exe
    "C:\Program Files\VideoLAN\VLC\locale\bn_IN\update.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
    3⤵
    PID:1768
- - C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
    3⤵
    PID:1240
- - C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
    3⤵
    PID:1100
  - - C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\
      4⤵
      Modifies visibility of file extensions in Explorer
      Disables RegEdit via registry modification
      PID:1012
  - - C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\
      4⤵
      PID:2872
  - - C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\
      4⤵
      PID:964
  - - C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\System Restore.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\
      4⤵
      PID:972
    - - C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\
        5⤵
        
        PID:2980
      - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\
        6⤵
        
        PID:764
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\
        7⤵
        
        PID:2476
      - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\
        6⤵
        
        PID:2720
      - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\
        6⤵
        
        PID:2232
  - - C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\
      4⤵
      PID:1344
- - C:\Program Files\VideoLAN\VLC\locale\az\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\az\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\
    3⤵
    PID:2552
- - C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
    3⤵
    PID:2284
  - - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
      4⤵
      PID:696
  - - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
      4⤵
      PID:884
- - C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
    3⤵
    PID:1672
- - C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
    3⤵
    PID:2912
- - C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
    3⤵
    PID:2616
- C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
  "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
  2⤵
  PID:1612

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
1⤵
PID:1620

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
1⤵
PID:2936

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
1⤵
PID:2824

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
1⤵
PID:888

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
1⤵
PID:2344

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
1⤵
PID:1752
- C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
  "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
  2⤵
  PID:1164

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
1⤵
PID:916

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
1⤵
PID:2332

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
1⤵
PID:776

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
1⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
PID:2972

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
1⤵
PID:1692

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
1⤵
PID:344
- C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\
  2⤵
  PID:2684

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
1⤵
PID:2444

C:\Program Files\Common Files\System Restore.exe
"C:\Program Files\Common Files\System Restore.exe" C:\Program Files\Common Files\
1⤵
PID:2276
- C:\Program Files\Microsoft Office\Office14\1033\backup.exe
  "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
  2⤵
  PID:2660

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
1⤵
PID:2300

C:\Program Files\System Restore.exe
"C:\Program Files\System Restore.exe" C:\Program Files\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1384
- C:\Program Files\Microsoft Games\update.exe
  "C:\Program Files\Microsoft Games\update.exe" C:\Program Files\Microsoft Games\
  2⤵
  PID:1708
- - C:\Program Files\Microsoft Games\Chess\backup.exe
    "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
    3⤵
    PID:2916
  - - C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
      4⤵
      PID:2544
  - - C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
      4⤵
      PID:2508
  - - C:\Program Files\Mozilla Firefox\browser\backup.exe
      "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
      4⤵
      PID:2072
- - C:\Program Files\Microsoft Games\FreeCell\data.exe
    "C:\Program Files\Microsoft Games\FreeCell\data.exe" C:\Program Files\Microsoft Games\FreeCell\
    3⤵
    - Disables RegEdit via registry modification
    PID:2524
  - - C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
      4⤵
      PID:320
    - - C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        5⤵
        
        PID:2440
      - C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        6⤵
        
        PID:488
  - - C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
      4⤵
      PID:1848
  - - C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
      4⤵
      Disables RegEdit via registry modification
      PID:2400
  - - C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
      4⤵
      PID:1932
  - - C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2892
  - - C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
      4⤵
      PID:2796
- - C:\Program Files\Microsoft Games\Hearts\backup.exe
    "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
    3⤵
    - Drops file in Program Files directory
    PID:1828
  - - C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
      4⤵
      PID:1652
  - - C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
      4⤵
      Disables RegEdit via registry modification
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:776
  - - C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
      4⤵
      PID:1092
  - - C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
      4⤵
      PID:824
  - - C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
      4⤵
      PID:2964
  - - C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
      4⤵
      PID:2136
- - C:\Program Files\Microsoft Games\Mahjong\backup.exe
    "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
    3⤵
    PID:700
  - - C:\Program Files\Microsoft Games\Mahjong\ja-JP\System Restore.exe
      "C:\Program Files\Microsoft Games\Mahjong\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2728
  - - C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
      4⤵
      PID:1316
    - - C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        5⤵
        
        PID:2112
    - - C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        5⤵
        
        PID:2456
  - - C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
      4⤵
      PID:280
  - - C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
      4⤵
      PID:2012
    - - C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:964
  - - C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
      4⤵
      PID:2112
  - - C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
      4⤵
      PID:1604
- - C:\Program Files\Microsoft Games\More Games\backup.exe
    "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
    3⤵
    PID:1596
  - - C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
      4⤵
      PID:892
- - C:\Program Files\Microsoft Games\Multiplayer\update.exe
    "C:\Program Files\Microsoft Games\Multiplayer\update.exe" C:\Program Files\Microsoft Games\Multiplayer\
    3⤵
    PID:2168
  - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
      4⤵
      PID:1032
    - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
        5⤵
        
        PID:2036
    - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\
        5⤵
        
        PID:2700
    - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\
        5⤵
        
        PID:2564
    - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\
        5⤵
        
        PID:2960
    - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\
        5⤵
        
        PID:2640
    - - C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\
        5⤵
        
        PID:2296
      - C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\
        6⤵
        
        PID:1700
  - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\System Restore.exe
      "C:\Program Files\Microsoft Games\Multiplayer\Checkers\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:596
    - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\
        5⤵
        
        PID:2316
    - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\data.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\data.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\
        5⤵
        
        PID:2488
      - C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\
        6⤵
        
        PID:1848
    - - C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\
        5⤵
        
        PID:2124
  - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
      "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
      4⤵
      PID:1628
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        5⤵
        
        PID:1788
      - C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
        6⤵
        
        PID:916
        
        C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\
        7⤵
        
        PID:1432
      - C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
        6⤵
        
        PID:1796
      - C:\Program Files\Java\jre7\lib\zi\America\Indiana\data.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Indiana\data.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
        6⤵
        
        PID:1592
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        5⤵
        
        PID:2736
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        5⤵
        
        PID:2856
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        5⤵
        
        PID:1968
    - - C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        5⤵
        
        PID:2128
- - C:\Program Files\Microsoft Games\Purble Place\backup.exe
    "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
    3⤵
    PID:2116
  - - C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\
      4⤵
      PID:1560
  - - C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\
      4⤵
      PID:1288
  - - C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\
      4⤵
      System policy modification
      PID:2040
  - - C:\Program Files\Microsoft Games\Purble Place\es-ES\update.exe
      "C:\Program Files\Microsoft Games\Purble Place\es-ES\update.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\
      4⤵
      System policy modification
      PID:1600
  - - C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\
      4⤵
      PID:2184
  - - C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\
      4⤵
      PID:2004
- - C:\Program Files\Microsoft Games\Solitaire\backup.exe
    "C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\
    3⤵
    PID:2720
  - - C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe
      "C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\
      4⤵
      System policy modification
      PID:3032
  - - C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe
      "C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\
      4⤵
      PID:916
  - - C:\Program Files\Microsoft Games\Solitaire\ja-JP\System Restore.exe
      "C:\Program Files\Microsoft Games\Solitaire\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\
      4⤵
      Disables RegEdit via registry modification
      PID:1880
  - - C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe
      "C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\
      4⤵
      PID:2840
  - - C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe
      "C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\
      4⤵
      PID:2268
  - - C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe
      "C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\
      4⤵
      PID:2848
- - C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe
    "C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\
    3⤵
    PID:2672
- - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
    "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
    3⤵
    PID:2220
- - C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\
    3⤵
    PID:1772
- C:\Program Files\Microsoft Office\backup.exe
  "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
  2⤵
  PID:1564
- C:\Program Files\Mozilla Firefox\backup.exe
  "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
  2⤵
  - Drops file in Program Files directory
  PID:2916
- - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
    "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
    3⤵
    PID:2368
- - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
    "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
    3⤵
    PID:572
- - C:\Program Files\Mozilla Firefox\fonts\backup.exe
    "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
    3⤵
    - Drops file in Program Files directory
    PID:356
- - C:\Program Files\Mozilla Firefox\defaults\backup.exe
    "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
    3⤵
    PID:2304
- - C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
    "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
    3⤵
    PID:2064
- - C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
    "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1564
- - C:\Program Files\Microsoft Games\Chess\en-US\data.exe
    "C:\Program Files\Microsoft Games\Chess\en-US\data.exe" C:\Program Files\Microsoft Games\Chess\en-US\
    3⤵
    PID:1644
- C:\Program Files\MSBuild\backup.exe
  "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
  2⤵
  PID:2388
- C:\Program Files\Reference Assemblies\backup.exe
  "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
  2⤵
  PID:2604
- C:\Program Files\VideoLAN\System Restore.exe
  "C:\Program Files\VideoLAN\System Restore.exe" C:\Program Files\VideoLAN\
  2⤵
  PID:3064
- - C:\Program Files\VideoLAN\VLC\backup.exe
    "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
    3⤵
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Program Files\VideoLAN\VLC\lua\update.exe
      "C:\Program Files\VideoLAN\VLC\lua\update.exe" C:\Program Files\VideoLAN\VLC\lua\
      4⤵
      PID:1048
    - - C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\extensions\backup.exe" C:\Program Files\VideoLAN\VLC\lua\extensions\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2428
    - - C:\Program Files\VideoLAN\VLC\lua\http\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\
        5⤵
        
        PID:584
      - C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\images\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\images\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2116
      - C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\requests\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\requests\
        6⤵
        
        PID:2268
      - C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\js\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\js\
        6⤵
        
        PID:2768
      - C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\dialogs\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\dialogs\
        6⤵
        
        PID:880
    - - C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\
        5⤵
        
        PID:1648
      - C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\intf\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\intf\modules\
        6⤵
        
        PID:2532
    - - C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2336
      - C:\Program Files\VideoLAN\VLC\lua\meta\art\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\art\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\art\
        6⤵
        System policy modification
        
        PID:1616
      - C:\Program Files\VideoLAN\VLC\lua\meta\reader\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\meta\reader\backup.exe" C:\Program Files\VideoLAN\VLC\lua\meta\reader\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1332
    - - C:\Program Files\VideoLAN\VLC\lua\sd\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\sd\backup.exe" C:\Program Files\VideoLAN\VLC\lua\sd\
        5⤵
        
        PID:2088
    - - C:\Program Files\VideoLAN\VLC\lua\playlist\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\playlist\backup.exe" C:\Program Files\VideoLAN\VLC\lua\playlist\
        5⤵
        
        PID:688
    - - C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\modules\backup.exe" C:\Program Files\VideoLAN\VLC\lua\modules\
        5⤵
        
        PID:1700
  - - C:\Program Files\VideoLAN\VLC\plugins\backup.exe
      "C:\Program Files\VideoLAN\VLC\plugins\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:1476
    - - C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access\
        5⤵
        
        PID:1712
    - - C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\access_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\access_output\
        5⤵
        
        PID:2308
    - - C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\codec\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\codec\
        5⤵
        Disables RegEdit via registry modification
        System policy modification
        
        PID:1068
    - - C:\Program Files\VideoLAN\VLC\plugins\control\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\control\
        5⤵
        
        PID:1760
    - - C:\Program Files\VideoLAN\VLC\plugins\d3d11\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d11\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\d3d11\
        5⤵
        
        PID:1952
    - - C:\Program Files\VideoLAN\VLC\plugins\demux\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\demux\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\demux\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
    - - C:\Program Files\VideoLAN\VLC\plugins\keystore\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\keystore\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\keystore\
        5⤵
        
        PID:2636
    - - C:\Program Files\VideoLAN\VLC\plugins\logger\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\logger\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\logger\
        5⤵
        Disables RegEdit via registry modification
        
        PID:2212
    - - C:\Program Files\VideoLAN\VLC\plugins\mux\update.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\mux\update.exe" C:\Program Files\VideoLAN\VLC\plugins\mux\
        5⤵
        
        PID:2948
    - - C:\Program Files\VideoLAN\VLC\plugins\spu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\spu\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\spu\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2656
    - - C:\Program Files\VideoLAN\VLC\plugins\services_discovery\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\services_discovery\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\services_discovery\
        5⤵
        System policy modification
        
        PID:932
    - - C:\Program Files\VideoLAN\VLC\plugins\packetizer\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\packetizer\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\packetizer\
        5⤵
        
        PID:2512
    - - C:\Program Files\VideoLAN\VLC\plugins\misc\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\misc\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\misc\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2936
    - - C:\Program Files\VideoLAN\VLC\plugins\meta_engine\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\meta_engine\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\meta_engine\
        5⤵
        
        PID:2180
    - - C:\Program Files\VideoLAN\VLC\plugins\lua\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\lua\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\lua\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2332
    - - C:\Program Files\VideoLAN\VLC\plugins\gui\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\gui\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\gui\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1612
    - - C:\Program Files\VideoLAN\VLC\plugins\d3d9\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\d3d9\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\d3d9\
        5⤵
        Drops file in Program Files directory
        
        PID:1688
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_output\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2388
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\
        5⤵
        System policy modification
        
        PID:2552
    - - C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\audio_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\audio_filter\
        5⤵
        
        PID:2976
    - - C:\Program Files\VideoLAN\VLC\plugins\stream_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\stream_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\stream_filter\
        5⤵
        
        PID:1948
    - - C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1700
    - - C:\Program Files\VideoLAN\VLC\plugins\stream_out\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\stream_out\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\stream_out\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1064
    - - C:\Program Files\VideoLAN\VLC\plugins\text_renderer\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\text_renderer\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\text_renderer\
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3064
    - - C:\Program Files\VideoLAN\VLC\plugins\video_chroma\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\video_chroma\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\video_chroma\
        5⤵
        
        PID:2652
    - - C:\Program Files\VideoLAN\VLC\plugins\video_filter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\video_filter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\video_filter\
        5⤵
        System policy modification
        
        PID:2104
    - - C:\Program Files\VideoLAN\VLC\plugins\video_output\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\video_output\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\video_output\
        5⤵
        Drops file in Program Files directory
        
        PID:2648
    - - C:\Program Files\VideoLAN\VLC\plugins\video_splitter\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\video_splitter\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\video_splitter\
        5⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2668
    - - C:\Program Files\VideoLAN\VLC\plugins\visualization\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\visualization\backup.exe" C:\Program Files\VideoLAN\VLC\plugins\visualization\
        5⤵
        
        PID:1032
  - - C:\Program Files\VideoLAN\VLC\skins\backup.exe
      "C:\Program Files\VideoLAN\VLC\skins\backup.exe" C:\Program Files\VideoLAN\VLC\skins\
      4⤵
      PID:2456
- C:\Program Files\Windows Journal\backup.exe
  "C:\Program Files\Windows Journal\backup.exe" C:\Program Files\Windows Journal\
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2124
- - C:\Program Files\Windows Journal\fr-FR\backup.exe
    "C:\Program Files\Windows Journal\fr-FR\backup.exe" C:\Program Files\Windows Journal\fr-FR\
    3⤵
    PID:2456
- - C:\Program Files\Windows Journal\ja-JP\backup.exe
    "C:\Program Files\Windows Journal\ja-JP\backup.exe" C:\Program Files\Windows Journal\ja-JP\
    3⤵
    PID:1688
- - C:\Program Files\Windows Journal\Templates\backup.exe
    "C:\Program Files\Windows Journal\Templates\backup.exe" C:\Program Files\Windows Journal\Templates\
    3⤵
    PID:1504
- - C:\Program Files\Windows Journal\it-IT\backup.exe
    "C:\Program Files\Windows Journal\it-IT\backup.exe" C:\Program Files\Windows Journal\it-IT\
    3⤵
    PID:880
- - C:\Program Files\Windows Journal\es-ES\backup.exe
    "C:\Program Files\Windows Journal\es-ES\backup.exe" C:\Program Files\Windows Journal\es-ES\
    3⤵
    PID:2216
- - C:\Program Files\Windows Journal\en-US\backup.exe
    "C:\Program Files\Windows Journal\en-US\backup.exe" C:\Program Files\Windows Journal\en-US\
    3⤵
    PID:1164
- - C:\Program Files\Windows Journal\de-DE\backup.exe
    "C:\Program Files\Windows Journal\de-DE\backup.exe" C:\Program Files\Windows Journal\de-DE\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:336
- C:\Program Files\Windows Mail\backup.exe
  "C:\Program Files\Windows Mail\backup.exe" C:\Program Files\Windows Mail\
  2⤵
  - System policy modification
  PID:2616
- - C:\Program Files\Windows Mail\de-DE\backup.exe
    "C:\Program Files\Windows Mail\de-DE\backup.exe" C:\Program Files\Windows Mail\de-DE\
    3⤵
    - Disables RegEdit via registry modification
    PID:856
- - C:\Program Files\Windows Mail\en-US\backup.exe
    "C:\Program Files\Windows Mail\en-US\backup.exe" C:\Program Files\Windows Mail\en-US\
    3⤵
    PID:2376
- - C:\Program Files\Windows Mail\fr-FR\backup.exe
    "C:\Program Files\Windows Mail\fr-FR\backup.exe" C:\Program Files\Windows Mail\fr-FR\
    3⤵
    - System policy modification
    PID:2292
- - C:\Program Files\Windows Mail\es-ES\backup.exe
    "C:\Program Files\Windows Mail\es-ES\backup.exe" C:\Program Files\Windows Mail\es-ES\
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Program Files\Windows Mail\it-IT\backup.exe
    "C:\Program Files\Windows Mail\it-IT\backup.exe" C:\Program Files\Windows Mail\it-IT\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2620
- - C:\Program Files\Windows Mail\ja-JP\backup.exe
    "C:\Program Files\Windows Mail\ja-JP\backup.exe" C:\Program Files\Windows Mail\ja-JP\
    3⤵
    PID:2064
- C:\Program Files\Windows Defender\backup.exe
  "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1260
- C:\Program Files\Windows Media Player\data.exe
  "C:\Program Files\Windows Media Player\data.exe" C:\Program Files\Windows Media Player\
  2⤵
  PID:2708
- - C:\Program Files\Windows Media Player\de-DE\backup.exe
    "C:\Program Files\Windows Media Player\de-DE\backup.exe" C:\Program Files\Windows Media Player\de-DE\
    3⤵
    PID:1644
- - C:\Program Files\Windows Media Player\en-US\backup.exe
    "C:\Program Files\Windows Media Player\en-US\backup.exe" C:\Program Files\Windows Media Player\en-US\
    3⤵
    PID:888
- - C:\Program Files\Windows Media Player\es-ES\backup.exe
    "C:\Program Files\Windows Media Player\es-ES\backup.exe" C:\Program Files\Windows Media Player\es-ES\
    3⤵
    PID:2072
- C:\Program Files\Windows NT\backup.exe
  "C:\Program Files\Windows NT\backup.exe" C:\Program Files\Windows NT\
  2⤵
  PID:2276

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
1⤵
PID:2700

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
1⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520

C:\backup.exe
\backup.exe \
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files (x86)\backup.exe
  "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
  2⤵
  PID:1540
- - C:\Program Files (x86)\Common Files\data.exe
    "C:\Program Files (x86)\Common Files\data.exe" C:\Program Files (x86)\Common Files\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1288
  - - C:\Program Files (x86)\Common Files\Adobe\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2736
    - - C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        5⤵
        
        PID:2676
      - C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\
        6⤵
        
        PID:1044
    - - C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        5⤵
        System policy modification
        
        PID:1888
    - - C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        5⤵
        
        PID:2000
  - - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
      "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1300
  - - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
      "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
      4⤵
      PID:856
  - - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:2440
    - - C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        5⤵
        
        PID:2552
    - - C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        5⤵
        
        PID:824
      - C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1268
    - - C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:320
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        6⤵
        
        PID:1568
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        6⤵
        
        PID:1968
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1060
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        6⤵
        
        PID:2128
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        6⤵
        
        PID:2408
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        6⤵
        
        PID:572
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        6⤵
        
        PID:1368
      - C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        6⤵
        
        PID:1344
    - - C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        5⤵
        
        PID:1964
      - C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        6⤵
        
        PID:2604
    - - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        5⤵
        
        PID:1204
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        6⤵
        
        PID:2672
        
        C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\
        7⤵
        
        PID:2704
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        6⤵
        
        PID:2704
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        6⤵
        
        PID:1932
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        6⤵
        
        PID:2640
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        6⤵
        
        PID:1332
      - C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\
        6⤵
        
        PID:1364
    - - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        5⤵
        
        PID:1752
      - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        6⤵
        
        PID:1036
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        7⤵
        
        PID:2444
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        7⤵
        
        PID:896
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        7⤵
        
        PID:2112
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
        8⤵
        
        PID:1968
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        7⤵
        
        PID:772
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        7⤵
        
        PID:2236
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        7⤵
        
        PID:2100
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        7⤵
        
        PID:1044
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        7⤵
        
        PID:2632
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        7⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        7⤵
        Disables RegEdit via registry modification
        
        PID:1788
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        7⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        7⤵
        
        PID:2476
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
        7⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2820
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
        7⤵
        
        PID:1448
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
        7⤵
        
        PID:2564
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
        7⤵
        
        PID:336
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
        7⤵
        
        PID:1712
      - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        6⤵
        
        PID:1544
    - - C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        5⤵
        
        PID:2088
    - - C:\Program Files (x86)\Common Files\microsoft shared\Portal\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        5⤵
        
        PID:1792
      - C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        6⤵
        
        PID:1928
    - - C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        5⤵
        
        PID:2428
    - - C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        5⤵
        
        PID:1948
    - - C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        5⤵
        
        PID:2232
      - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        6⤵
        
        PID:2712
    - - C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        5⤵
        
        PID:2984
    - - C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        5⤵
        System policy modification
        
        PID:2408
    - - C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        5⤵
        
        PID:2712
    - - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        5⤵
        
        PID:2088
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1076
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
        6⤵
        
        PID:1616
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1964
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
        6⤵
        
        PID:2616
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
        6⤵
        
        PID:1656
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
        6⤵
        
        PID:2968
      - C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
        6⤵
        
        PID:1520
    - - C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        5⤵
        
        PID:2212
    - - C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        5⤵
        
        PID:1316
    - - C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        5⤵
        
        PID:2324
    - - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        5⤵
        Drops file in Program Files directory
        
        PID:2284
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
        6⤵
        
        PID:1672
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
        6⤵
        
        PID:296
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\
        6⤵
        
        PID:880
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
        6⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2300
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
        6⤵
        
        PID:332
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
        6⤵
        
        PID:488
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\
        6⤵
        
        PID:1592
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\
        7⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:1100
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\
        6⤵
        
        PID:2076
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\
        6⤵
        
        PID:2804
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\
        6⤵
        
        PID:1616
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\
        6⤵
        Drops file in Program Files directory
        
        PID:2724
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\
        6⤵
        
        PID:676
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\
        6⤵
        
        PID:1632
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\
        6⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2168
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\
        6⤵
        
        PID:2212
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\
        6⤵
        
        PID:2968
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\
        6⤵
        
        PID:1304
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\
        6⤵
        
        PID:1048
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\
        6⤵
        
        PID:584
        
        C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\lua\http\css\backup.exe" C:\Program Files\VideoLAN\VLC\lua\http\css\
        7⤵
        
        PID:2688
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\
        6⤵
        
        PID:2552
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\
        6⤵
        
        PID:336
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\
        6⤵
        
        PID:296
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\
        6⤵
        
        PID:1068
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\
        6⤵
        
        PID:1952
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\
        6⤵
        
        PID:2848
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\
        6⤵
        
        PID:2936
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:572
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\
        6⤵
        
        PID:3012
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\
        6⤵
        
        PID:2924
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\
        6⤵
        Disables RegEdit via registry modification
        
        PID:2920
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\
        6⤵
        
        PID:2512
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\
        6⤵
        
        PID:2944
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\
        6⤵
        
        PID:2268
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\
        6⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2080
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\
        6⤵
        
        PID:2448
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\
        6⤵
        
        PID:1936
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\
        6⤵
        
        PID:1712
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\
        6⤵
        
        PID:1656
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\
        6⤵
        
        PID:1448
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2700
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\
        6⤵
        
        PID:1544
      - C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\
        6⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2484
    - - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
      - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\
        6⤵
        
        PID:2456
      - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\
        6⤵
        
        PID:2104
      - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
        6⤵
        Disables RegEdit via registry modification
        
        PID:296
      - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\
        6⤵
        
        PID:2776
      - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1768
      - C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\
        6⤵
        Disables RegEdit via registry modification
        
        PID:1968
    - - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1636
      - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\
        6⤵
        
        PID:752
      - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\
        6⤵
        
        PID:1772
      - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\
        6⤵
        
        PID:1728
      - C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2236
    - - C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\
        5⤵
        
        PID:1240
      - C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1840
      - C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\
        6⤵
        
        PID:2288
    - - C:\Program Files (x86)\Common Files\microsoft shared\VGX\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VGX\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2488
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTO\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\
        5⤵
        
        PID:2560
      - C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\
        6⤵
        
        PID:2324
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\
        7⤵
        
        PID:2476
    - - C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
    - - C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\
        5⤵
        System policy modification
        
        PID:1592
    - - C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\
        5⤵
        
        PID:2980
    - - C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\
        5⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2448
  - - C:\Program Files (x86)\Common Files\Services\update.exe
      "C:\Program Files (x86)\Common Files\Services\update.exe" C:\Program Files (x86)\Common Files\Services\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2536
  - - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
      "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1164
    - - C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        5⤵
        
        PID:1792
  - - C:\Program Files (x86)\Common Files\System\backup.exe
      "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
      4⤵
      System policy modification
      PID:2632
- - C:\Program Files (x86)\Google\backup.exe
    "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2640
  - - C:\Program Files (x86)\Google\CrashReports\data.exe
      "C:\Program Files (x86)\Google\CrashReports\data.exe" C:\Program Files (x86)\Google\CrashReports\
      4⤵
      PID:2532
  - - C:\Program Files (x86)\Google\Temp\System Restore.exe
      "C:\Program Files (x86)\Google\Temp\System Restore.exe" C:\Program Files (x86)\Google\Temp\
      4⤵
      Modifies visibility of file extensions in Explorer
      Drops file in Program Files directory
      PID:1656
  - - C:\Program Files (x86)\Google\Update\backup.exe
      "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
      4⤵
      PID:1984
- - C:\Program Files (x86)\Internet Explorer\backup.exe
    "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
    3⤵
    PID:2044
- - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
    "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2280
- C:\Users\backup.exe
  C:\Users\backup.exe C:\Users\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:848
- C:\Windows\backup.exe
  C:\Windows\backup.exe C:\Windows\
  2⤵
  PID:1276
- - C:\Windows\addins\backup.exe
    C:\Windows\addins\backup.exe C:\Windows\addins\
    3⤵
    - System policy modification
    PID:2120
- - C:\Windows\AppCompat\backup.exe
    C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
    3⤵
    PID:1960
- - C:\Windows\AppPatch\backup.exe
    C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
    3⤵
    - Disables RegEdit via registry modification
    PID:1520
- - C:\Windows\assembly\backup.exe
    C:\Windows\assembly\backup.exe C:\Windows\assembly\
    3⤵
    PID:1240

C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
1⤵
PID:2268

C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
1⤵
PID:2708

C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
1⤵
PID:3032

C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\System Restore.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\
1⤵
PID:2084

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
1⤵
PID:2796

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
1⤵
- System policy modification
PID:312

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
1⤵
PID:540

C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
1⤵
PID:332

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
1⤵
PID:2648

C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\
1⤵
PID:932

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\
1⤵
PID:1544

C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\
1⤵
PID:848
- C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\
  2⤵
  PID:2848

C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
1⤵
PID:2664

C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
1⤵
PID:2072
- C:\Program Files\Mozilla Firefox\browser\VisualElements\update.exe
  "C:\Program Files\Mozilla Firefox\browser\VisualElements\update.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
  2⤵
  PID:1048
- - C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe
    "C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\
    3⤵
    PID:1884

C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
1⤵
PID:1032
- C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\backup.exe
  "C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\
  2⤵
  PID:452

C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\
1⤵
PID:1640

C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\data.exe
"C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\
1⤵
PID:2700

C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
1⤵
PID:1512

C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\
1⤵
PID:2444

C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\
1⤵
PID:2832
- C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe
  "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  PID:2924
- - C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe
    "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\
    3⤵
    PID:2576
  - - C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1032

C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\
1⤵
PID:2556

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:896

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
- Modifies visibility of file extensions in Explorer
PID:1512

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
- Disables RegEdit via registry modification
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
72KB

MD5
4ecbf4dd341ef075287932b300e52dfb

SHA1
8bf7d12b24f6cc8c2378b925fb4c2ba7b27eb010

SHA256
44104bd0404b06a23160775bd54cb69312195ce7a77169a42480356b8bc5c66a

SHA512
7d8e90b0b27410088da6301abef777a34f077ec5b3e1526b284e73a60d43ff66546807c5a02661c16a10e16c6320c9345ad889a2423cf8ea81511ae05fe27b90

Download Submit
C:\Program Files\Common Files\System Restore.exe

Filesize
72KB

MD5
c34dc8dc99fedfe184960e2a8d98f33d

SHA1
40d9e2836bdca6d0397c10f810e0f95ebaac98a6

SHA256
410dd6ff14b1acfd6b836d266cecf0126191aa63079a6e038ac65304748f6bdf

SHA512
cea6d776923814e50ee0a4e2f4921a24345be878fc76f29f20d5a34f100a7ca4ca70b09fbe9eb92e2d18c89359f5cc314b0cf44eca6c8028dcdca52f65e0cf90

Download Submit
C:\Program Files\System Restore.exe

Filesize
72KB

MD5
71fab7f64192fb11e03bcd4eb43d8d40

SHA1
a992e6b9b6fdb1be511d345d4bb003cb2d56bb62

SHA256
31cd828f7f16bec022348122be903f72af718e1246478cff3bcbbc8dd8313851

SHA512
f7ca44607252e9ec42fd6ab4f3530e047911b9106015eb52eaf56a1dd17bcb762c0dad3c9733eadb884f6271ecbfd3bf99021e0973c88a759b13f8fbae2ee7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe

Filesize
72KB

MD5
7bdfa9cdedba6667e8b0c39685a8fb71

SHA1
79edef2f20e92bb1b478bab33070fc92bd06626d

SHA256
031bfc7685913b0b5b9d8916b12af01282f27ba8b6c7668314487fcbeaeabdbb

SHA512
a60155a2e38ee4b2b09944ddcaad2ab2a7ef284ac5849275320c4d9567c50f8bfec77aa81ce68a13c7141c8f3e14cc825bcbeead43e4b9b9b3c64ac5fb890f07

Download Submit
C:\backup.exe

Filesize
72KB

MD5
01a6ae8bcce3e05f3809b3a75fafac98

SHA1
3517f60d072d3391632a2d5da57b6095fd3930cb

SHA256
70d3ed62773a845dfd20eeba4f7551a8025451518870bdddde61daa928489537

SHA512
16f0292728cece7db382df9540b8b5976a8658b0c39da12522f7079e72548d5f372a9f0f87f567f595c0a6c8929674a38a4ab4a3588c4add1bcf2962aed165d3

Download Submit
memory/1240-7405-0x00000000029D0000-0x0000000002AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2996-119-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads