22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
Size

296KB
MD5

6fb180c87634ea578855ca74be7dfe87
SHA1

037bdacd6b97df68756100fb6810449fcd11b9bf
SHA256

22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f
SHA512

a45d5dd6bacd6ad6b556a9ab8c3e0be4264e0cc33bb7e13605e6bb856c5414b13eebcc7df492d9aae58b58159f5da112ed2ba7b7d54694819d7e672fe8f86bf1
SSDEEP

1536:ZeT7BVwxfvEFwjRbfvCeSeT7BVwxfvEFcjRxT7BI7BVwxfvETmL:ZmVwRKC769mVwRKGTIVwRNL

Score

10^/10

evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exedata.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/616-0-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\411840959\backup.exe	UPX
behavioral1/memory/616-7-0x0000000002AC0000-0x0000000002B17000-memory.dmp	UPX
behavioral1/memory/1976-13-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/3056-28-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2068-47-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/616-46-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2068-51-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1976-59-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2768-62-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2668-76-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\CRX_INSTALL\backup.exe	UPX
behavioral1/memory/2548-96-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2516-97-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\backup.exe	UPX
behavioral1/memory/616-101-0x0000000002AC0000-0x0000000002B17000-memory.dmp	UPX
behavioral1/memory/2696-100-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/616-107-0x0000000002AC0000-0x0000000002B17000-memory.dmp	UPX
C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\CRX_INSTALL\backup.exe	UPX
behavioral1/memory/2988-122-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1636-123-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2584-133-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
C:\backup.exe	UPX
\PerfLogs\backup.exe	UPX
behavioral1/memory/616-166-0x0000000002AC0000-0x0000000002B17000-memory.dmp	UPX
\PerfLogs\Admin\backup.exe	UPX
behavioral1/memory/2836-184-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2244-183-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2192-205-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
\Program Files\7-Zip\Lang\backup.exe	UPX
behavioral1/memory/268-219-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/268-221-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
\Program Files\Common Files\backup.exe	UPX
behavioral1/memory/2192-224-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/880-230-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
\Program Files\Common Files\Microsoft Shared\backup.exe	UPX
behavioral1/memory/2320-252-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2320-256-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2132-265-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1964-264-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1604-271-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1604-275-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1888-282-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/1888-284-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2280-289-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/552-290-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/552-294-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/3004-301-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/3004-303-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2132-309-0x0000000000540000-0x0000000000597000-memory.dmp	UPX
behavioral1/memory/2468-308-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2468-310-0x0000000001D30000-0x0000000001D87000-memory.dmp	UPX
behavioral1/memory/2136-315-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2132-320-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2404-324-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2228-331-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2228-333-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2168-340-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2168-342-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2132-347-0x0000000000540000-0x0000000000597000-memory.dmp	UPX
behavioral1/memory/2680-348-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2680-352-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2684-360-0x0000000000400000-0x0000000000457000-memory.dmp	UPX
behavioral1/memory/2648-366-0x0000000000400000-0x0000000000457000-memory.dmp	UPX

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exe

pid	process
1976	backup.exe
3056	backup.exe
2696	backup.exe
2068	backup.exe
2768	backup.exe
2668	backup.exe
2516	backup.exe
2548	backup.exe
2988	backup.exe
1636	backup.exe
2584	backup.exe
880	backup.exe
2836	backup.exe
2244	backup.exe
1964	backup.exe
2192	backup.exe
268	backup.exe
2280	backup.exe
2468	backup.exe
2320	backup.exe
2132	backup.exe
1604	System Restore.exe
1888	backup.exe
552	backup.exe
3004	backup.exe
2136	backup.exe
2404	backup.exe
2228	backup.exe
2168	backup.exe
2680	backup.exe
2684	backup.exe
2648	backup.exe
2892	backup.exe
2748	data.exe
2496	backup.exe
2560	backup.exe
2976	backup.exe
2472	backup.exe
1780	System Restore.exe
2724	backup.exe
2000	backup.exe
328	backup.exe
2484	backup.exe
2736	backup.exe
1612	backup.exe
1676	backup.exe
1764	backup.exe
2920	System Restore.exe
476	backup.exe
1464	backup.exe
544	update.exe
2464	backup.exe
2368	backup.exe
1532	backup.exe
940	backup.exe
1892	update.exe
3012	backup.exe
2144	backup.exe
540	backup.exe
1724	backup.exe
1596	update.exe
2204	backup.exe
2644	backup.exe
2760	backup.exe

Loads dropped DLL 64 IoCs

Processes:

22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

pid	process
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
2516	backup.exe
2516	backup.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
2988	backup.exe
2988	backup.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
880	backup.exe
880	backup.exe
2836	backup.exe
2836	backup.exe
880	backup.exe
880	backup.exe
1964	backup.exe
1964	backup.exe
2192	backup.exe
2192	backup.exe
1964	backup.exe
1964	backup.exe
2280	backup.exe
2280	backup.exe
2468	backup.exe
2468	backup.exe
2468	backup.exe
2468	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe
2132	backup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/616-0-0x0000000000400000-0x0000000000457000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\411840959\backup.exe	upx
behavioral1/memory/616-7-0x0000000002AC0000-0x0000000002B17000-memory.dmp	upx
behavioral1/memory/1976-13-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/3056-28-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2068-47-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/616-46-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2068-51-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1976-59-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2768-62-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2668-76-0x0000000000400000-0x0000000000457000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\CRX_INSTALL\backup.exe	upx
behavioral1/memory/2548-96-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2516-97-0x0000000000400000-0x0000000000457000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\backup.exe	upx
behavioral1/memory/616-101-0x0000000002AC0000-0x0000000002B17000-memory.dmp	upx
behavioral1/memory/2696-100-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/616-107-0x0000000002AC0000-0x0000000002B17000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\CRX_INSTALL\backup.exe	upx
behavioral1/memory/2988-122-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1636-123-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2584-133-0x0000000000400000-0x0000000000457000-memory.dmp	upx
C:\backup.exe	upx
\PerfLogs\backup.exe	upx
behavioral1/memory/616-166-0x0000000002AC0000-0x0000000002B17000-memory.dmp	upx
\PerfLogs\Admin\backup.exe	upx
behavioral1/memory/2836-184-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2244-183-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2192-205-0x0000000000400000-0x0000000000457000-memory.dmp	upx
\Program Files\7-Zip\Lang\backup.exe	upx
behavioral1/memory/268-219-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/268-221-0x0000000000400000-0x0000000000457000-memory.dmp	upx
\Program Files\Common Files\backup.exe	upx
behavioral1/memory/2192-224-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/880-230-0x0000000000400000-0x0000000000457000-memory.dmp	upx
\Program Files\Common Files\Microsoft Shared\backup.exe	upx
behavioral1/memory/2320-252-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2320-256-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2132-265-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1964-264-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1604-271-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1604-275-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1888-282-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/1888-284-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2280-289-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/552-290-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/552-294-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/3004-301-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/3004-303-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2132-309-0x0000000000540000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2468-308-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2468-310-0x0000000001D30000-0x0000000001D87000-memory.dmp	upx
behavioral1/memory/2136-315-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2132-320-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2404-324-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2228-331-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2228-333-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2168-340-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2168-342-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2132-347-0x0000000000540000-0x0000000000597000-memory.dmp	upx
behavioral1/memory/2680-348-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2680-352-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2684-360-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral1/memory/2648-366-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Drops file in System32 directory 12 IoCs

Processes:

backup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\backup.exe	backup.exe
File opened for modification	C:\Windows\SysWOW64\0410\backup.exe
File opened for modification	C:\Windows\SysWOW64\ar-SA\backup.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\backup.exe
File opened for modification	C:\Windows\SysWOW64\catroot2\backup.exe
File opened for modification	C:\Windows\SysWOW64\0407\backup.exe
File opened for modification	C:\Windows\SysWOW64\0409\backup.exe
File opened for modification	C:\Windows\SysWOW64\040C\backup.exe
File opened for modification	C:\Windows\SysWOW64\0411\backup.exe
File opened for modification	C:\Windows\SysWOW64\0C0A\backup.exe
File opened for modification	C:\Windows\SysWOW64\AdvancedInstallers\backup.exe
File opened for modification	C:\Windows\SysWOW64\catroot\backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\update.exe	backup.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe
File opened for modification	C:\Program Files\Windows Media Player\Icons\backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\backup.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe	backup.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\data.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\update.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\data.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\backup.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

Processes:

backup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.UI\6.1.0.0__31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcstoredb\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Specialized\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\it\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\backup.exe
File opened for modification	C:\Windows\security\templates\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\CustomMarshalers\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SecurityAuditPolici#\backup.exe
File opened for modification	C:\Windows\PLA\Rules\it-IT\backup.exe
File opened for modification	C:\Windows\inf\wsearchidxpi\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\XamlViewer\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\Migration\WTR\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_ja_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\PLA\Templates\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ja-JP\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Synchronization.Data.SqlServerCe\3.5.0.0__89845dcd8080cc91\backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Excel.v9.0\9.0.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\backup.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\es-ES\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework\v4.0_4.0.0.0__31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\System.Web\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime.Intl\14.0.0.0__71e9bce111e9429c\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.InfoPath.Client.Internal.Host\14.0.0.0__71e9bce111e9429c\backup.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0005\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_es_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_fr_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\MOF\es\data.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\inf\aspnet_state\000C\backup.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0416\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\System Restore.exe
File opened for modification	C:\Windows\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiExtens\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\1.0.0.0_es_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\ReachFramework\backup.exe
File opened for modification	C:\Windows\Globalization\Sorting\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data.OracleClient\update.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\299d0b38053fd7cbd84bac2178c3703b\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\a5daafd496ae30928b7ac626037af53c\System Restore.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Printing\aac5817d96d0ddcffebc1c45000e9008\backup.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Music\backup.exe
File opened for modification	C:\Windows\inf\aspnet_state\0005\backup.exe
File opened for modification	C:\Windows\inf\BITS\data.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\e4031bd0b7706fd0a686e9bb6353aa2a\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\backup.exe
File opened for modification	C:\Windows\inf\usbhub\0409\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\MOF\fr\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\ja\System Restore.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard\backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe

pid process

616 22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exe

pid	process
616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
1976	backup.exe
3056	backup.exe
2696	backup.exe
2068	backup.exe
2768	backup.exe
2668	backup.exe
2516	backup.exe
2548	backup.exe
2988	backup.exe
1636	backup.exe
2584	backup.exe
880	backup.exe
2836	backup.exe
2244	backup.exe
1964	backup.exe
2192	backup.exe
268	backup.exe
2280	backup.exe
2468	backup.exe
2320	backup.exe
2132	backup.exe
1604	System Restore.exe
1888	backup.exe
552	backup.exe
3004	backup.exe
2136	backup.exe
2404	backup.exe
2228	backup.exe
2168	backup.exe
2680	backup.exe
2684	backup.exe
2648	backup.exe
2892	backup.exe
2748	data.exe
2496	backup.exe
2560	backup.exe
2976	backup.exe
2472	backup.exe
1780	System Restore.exe
2724	backup.exe
2000	backup.exe
328	backup.exe
2484	backup.exe
2736	backup.exe
1612	backup.exe
1676	backup.exe
1764	backup.exe
2920	System Restore.exe
476	backup.exe
1464	backup.exe
544	update.exe
2464	backup.exe
2368	backup.exe
1532	backup.exe
940	backup.exe
1892	update.exe
3012	backup.exe
2144	backup.exe
540	backup.exe
1724	backup.exe
1596	update.exe
2204	backup.exe
2644	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	pid	process	target process
PID 616 wrote to memory of 1976	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 1976	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 1976	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 1976	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 3056	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 3056	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 3056	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 3056	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2696	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2696	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2696	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2696	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2068	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2068	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2068	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2068	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2768	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2768	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2768	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2768	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2668	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2668	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2668	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2668	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2516	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2516	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2516	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2516	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 2516 wrote to memory of 2548	2516	backup.exe	backup.exe
PID 2516 wrote to memory of 2548	2516	backup.exe	backup.exe
PID 2516 wrote to memory of 2548	2516	backup.exe	backup.exe
PID 2516 wrote to memory of 2548	2516	backup.exe	backup.exe
PID 616 wrote to memory of 2988	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2988	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2988	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2988	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 2988 wrote to memory of 1636	2988	backup.exe	backup.exe
PID 2988 wrote to memory of 1636	2988	backup.exe	backup.exe
PID 2988 wrote to memory of 1636	2988	backup.exe	backup.exe
PID 2988 wrote to memory of 1636	2988	backup.exe	backup.exe
PID 616 wrote to memory of 2584	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2584	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2584	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 616 wrote to memory of 2584	616	22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe	backup.exe
PID 1976 wrote to memory of 880	1976	backup.exe	backup.exe
PID 1976 wrote to memory of 880	1976	backup.exe	backup.exe
PID 1976 wrote to memory of 880	1976	backup.exe	backup.exe
PID 1976 wrote to memory of 880	1976	backup.exe	backup.exe
PID 880 wrote to memory of 2836	880	backup.exe	backup.exe
PID 880 wrote to memory of 2836	880	backup.exe	backup.exe
PID 880 wrote to memory of 2836	880	backup.exe	backup.exe
PID 880 wrote to memory of 2836	880	backup.exe	backup.exe
PID 2836 wrote to memory of 2244	2836	backup.exe	backup.exe
PID 2836 wrote to memory of 2244	2836	backup.exe	backup.exe
PID 2836 wrote to memory of 2244	2836	backup.exe	backup.exe
PID 2836 wrote to memory of 2244	2836	backup.exe	backup.exe
PID 880 wrote to memory of 1964	880	backup.exe	backup.exe
PID 880 wrote to memory of 1964	880	backup.exe	backup.exe
PID 880 wrote to memory of 1964	880	backup.exe	backup.exe
PID 880 wrote to memory of 1964	880	backup.exe	backup.exe
PID 1964 wrote to memory of 2192	1964	backup.exe	backup.exe
PID 1964 wrote to memory of 2192	1964	backup.exe	backup.exe
PID 1964 wrote to memory of 2192	1964	backup.exe	backup.exe
PID 1964 wrote to memory of 2192	1964	backup.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe

C:\Users\Admin\AppData\Local\Temp\22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe
"C:\Users\Admin\AppData\Local\Temp\22e6c8800adde4995c184b84ffc815450fc63303286e8a6c8a025a9602f26a6f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Local\Temp\411840959\backup.exe
C:\Users\Admin\AppData\Local\Temp\411840959\backup.exe C:\Users\Admin\AppData\Local\Temp\411840959\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2192

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:268

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Program Files\Common Files\Microsoft Shared\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:552

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2496

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:476

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:544

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:940

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:540

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Executes dropped EXE
PID:2760

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
PID:2764

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
PID:2876

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
PID:2852

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
PID:2492

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\update.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:2020

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
PID:2536

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:2516

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
PID:1144

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2744

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
PID:2000

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
PID:2820

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
PID:2840

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
- Modifies visibility of file extensions in Explorer
PID:1620

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:1552

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
PID:1924

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
PID:2424

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:332

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:1632

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
PID:1788

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:676

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
PID:2464

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
PID:2324

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:1344

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
PID:1236

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:1904

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
PID:552

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:2308

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:872

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
PID:2460

C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:1700

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
PID:2216

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
PID:2636

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
PID:2644

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
PID:2624

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
PID:1276

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:2796

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:2780

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
PID:2552

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:2568

C:\Program Files\Common Files\System\ado\en-US\System Restore.exe
"C:\Program Files\Common Files\System\ado\en-US\System Restore.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
PID:2972

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:2980

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
PID:2264

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
PID:2060

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:2988

C:\Program Files\Common Files\System\de-DE\update.exe
"C:\Program Files\Common Files\System\de-DE\update.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
- System policy modification
PID:2968

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:2744

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:2156

C:\Program Files\Common Files\System\fr-FR\update.exe
"C:\Program Files\Common Files\System\fr-FR\update.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
PID:2892

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:2756

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
- System policy modification
PID:1568

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
PID:1812

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
PID:1612

C:\Program Files\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
PID:1552

C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
PID:3032

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
PID:2116

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
PID:2036

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
PID:972

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
- Drops file in Program Files directory
PID:268

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
PID:2100

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:748

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:2188

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:2176

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:1056

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
PID:596

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
PID:1604

C:\Program Files\DVD Maker\de-DE\backup.exe
"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
PID:1236

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
PID:2956

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
PID:2960

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
PID:2144

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
PID:2136

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:2324

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:2028

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:1252

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:1272

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:2640

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
PID:2684

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:2636

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:2652

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
PID:2520

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
PID:1276

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:2508

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
PID:2540

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
PID:2976

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
PID:2328

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
PID:2312

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
PID:2516

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
PID:1780

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
PID:976

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
PID:1988

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\data.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
PID:2732

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
PID:2824

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
PID:2868

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
PID:1664

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:1620

C:\Program Files\Google\Chrome\backup.exe
"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
6⤵
PID:1844

C:\Program Files\Google\Chrome\Application\data.exe
"C:\Program Files\Google\Chrome\Application\data.exe" C:\Program Files\Google\Chrome\Application\
7⤵
PID:2124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
8⤵
PID:2916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
9⤵
PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
9⤵
PID:664

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
9⤵
PID:2076

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
9⤵
PID:824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
9⤵
PID:1464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
9⤵
PID:1028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
9⤵
PID:2088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
10⤵
PID:2320

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
11⤵
PID:2332

C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\update.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
PID:1656

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
PID:2280

C:\Program Files\Internet Explorer\de-DE\System Restore.exe
"C:\Program Files\Internet Explorer\de-DE\System Restore.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:2384

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:1888

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
PID:2292

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:2052

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:1372

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:2368

C:\Program Files\Internet Explorer\ja-JP\data.exe
"C:\Program Files\Internet Explorer\ja-JP\data.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
PID:1592

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:1216

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:2588

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
PID:2900

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
PID:2288

C:\Program Files\Java\jdk1.7.0_80\db\update.exe
"C:\Program Files\Java\jdk1.7.0_80\db\update.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
PID:2216

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
8⤵
PID:2604

C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
8⤵
PID:1420

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
PID:2520

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
8⤵
PID:1928

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
9⤵
PID:2496

C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
7⤵
PID:3000

C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
8⤵
PID:352

C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
9⤵
PID:2304

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
9⤵
PID:864

C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
9⤵
PID:1936

C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
8⤵
- Drops file in Program Files directory
PID:2552

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
9⤵
PID:380

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
9⤵
PID:1048

C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
9⤵
PID:328

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
9⤵
PID:2864

C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
9⤵
PID:2612

C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
9⤵
PID:2248

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
9⤵
PID:1604

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
10⤵
PID:1504

C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
9⤵
PID:2476

C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
9⤵
PID:2160

C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
9⤵
PID:2116

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
9⤵
- Drops file in Program Files directory
PID:2036

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
10⤵
PID:1812

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
10⤵
PID:856

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
11⤵
PID:2100

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
11⤵
PID:1900

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
11⤵
PID:2176

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
11⤵
PID:1532

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
10⤵
PID:3032

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
10⤵
PID:1552

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
10⤵
PID:1344

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
10⤵
PID:2276

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
10⤵
PID:3036

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
10⤵
PID:3004

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
10⤵
PID:1640

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
10⤵
PID:2952

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
10⤵
PID:2888

C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
7⤵
PID:1564

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
8⤵
- Drops file in Program Files directory
PID:2212

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
9⤵
PID:2064

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
10⤵
PID:2640

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
10⤵
PID:640

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
9⤵
PID:2648

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
9⤵
PID:2632

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
10⤵
PID:2628

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
10⤵
PID:1276

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
10⤵
PID:2508

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
10⤵
PID:2568

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
10⤵
PID:2972

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
10⤵
PID:2984

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
10⤵
PID:1412

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
10⤵
PID:2516

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
10⤵
PID:1936

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
10⤵
- Drops file in Program Files directory
PID:976

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
11⤵
PID:1988

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
10⤵
PID:2732

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
11⤵
PID:2824

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
10⤵
PID:2868

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
11⤵
PID:1664

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
10⤵
PID:2084

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
11⤵
PID:1312

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
10⤵
PID:2816

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
11⤵
PID:2792

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
10⤵
PID:760

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
11⤵
PID:972

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
10⤵
PID:324

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
11⤵
PID:1788

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
10⤵
PID:544

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
11⤵
PID:2464

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
10⤵
PID:944

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
11⤵
PID:2188

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
10⤵
PID:1460

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
11⤵
PID:1620

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
10⤵
PID:888

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
11⤵
PID:2384

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
10⤵
PID:2356

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
11⤵
PID:2172

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
10⤵
PID:540

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
11⤵
PID:624

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
9⤵
- Drops file in Program Files directory
PID:2368

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
10⤵
PID:2552

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
11⤵
PID:2224

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
12⤵
- Modifies visibility of file extensions in Explorer
PID:1980

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
10⤵
PID:2760

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
11⤵
PID:2656

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
12⤵
PID:2764

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
9⤵
PID:2784

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
10⤵
PID:2608

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
11⤵
PID:2032

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
12⤵
- Drops file in Program Files directory
PID:2664

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
13⤵
PID:3028

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
13⤵
PID:2020

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
13⤵
PID:2252

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
11⤵
PID:2072

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
11⤵
- Modifies visibility of file extensions in Explorer
PID:1636

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
10⤵
PID:1048

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
11⤵
PID:1736

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
11⤵
PID:1908

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
11⤵
PID:2284

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
11⤵
PID:1052

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
10⤵
PID:576

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
11⤵
PID:2372

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
10⤵
PID:1544

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
11⤵
PID:2332

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
12⤵
PID:2916

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
11⤵
PID:1852

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
11⤵
PID:2956

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
8⤵
PID:1640

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
9⤵
PID:2036

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
9⤵
PID:3056

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
10⤵
PID:2288

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
11⤵
PID:2600

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
11⤵
PID:2676

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
10⤵
PID:2616

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
11⤵
PID:3028

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
10⤵
PID:2828

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
11⤵
PID:352

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
10⤵
PID:976

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
11⤵
PID:2872

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
12⤵
PID:1736

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
11⤵
PID:1312

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
10⤵
PID:2156

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
9⤵
PID:1496

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
10⤵
PID:1788

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
11⤵
PID:1464

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
10⤵
PID:2100

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
11⤵
PID:1892

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
12⤵
PID:1888

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
13⤵
PID:2956

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
12⤵
PID:2928

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
13⤵
PID:3000

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
11⤵
PID:2232

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
10⤵
PID:2896

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
11⤵
PID:2852

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
10⤵
PID:1624

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
9⤵
PID:2972

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
10⤵
PID:2616

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
11⤵
PID:800

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
10⤵
- Drops file in Program Files directory
PID:2988

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
11⤵
PID:1568

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
10⤵
PID:2612

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
11⤵
PID:2300

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
10⤵
PID:264

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
- Drops file in Program Files directory
PID:768

C:\Program Files\Java\jre7\bin\backup.exe
"C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
7⤵
- Modifies visibility of file extensions in Explorer
PID:3056

C:\Program Files\Java\jre7\bin\dtplugin\data.exe
"C:\Program Files\Java\jre7\bin\dtplugin\data.exe" C:\Program Files\Java\jre7\bin\dtplugin\
8⤵
PID:856

C:\Program Files\Java\jre7\bin\plugin2\backup.exe
"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
8⤵
PID:1088

C:\Program Files\Java\jre7\bin\server\backup.exe
"C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
8⤵
PID:2660

C:\Program Files\Java\jre7\lib\backup.exe
"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
7⤵
- Drops file in Program Files directory
PID:2396

C:\Program Files\Java\jre7\lib\amd64\backup.exe
"C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
8⤵
PID:2212

C:\Program Files\Java\jre7\lib\applet\System Restore.exe
"C:\Program Files\Java\jre7\lib\applet\System Restore.exe" C:\Program Files\Java\jre7\lib\applet\
8⤵
PID:2888

C:\Program Files\Java\jre7\lib\cmm\backup.exe
"C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
8⤵
PID:2632

C:\Program Files\Java\jre7\lib\deploy\backup.exe
"C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
8⤵
PID:2644

C:\Program Files\Java\jre7\lib\ext\backup.exe
"C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
8⤵
PID:2760

C:\Program Files\Java\jre7\lib\fonts\backup.exe
"C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
8⤵
PID:2544

C:\Program Files\Java\jre7\lib\images\backup.exe
"C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
8⤵
PID:2568

C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
"C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
9⤵
PID:2628

C:\Program Files\Java\jre7\lib\jfr\backup.exe
"C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
8⤵
PID:2004

C:\Program Files\Java\jre7\lib\management\backup.exe
"C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
8⤵
PID:1636

C:\Program Files\Java\jre7\lib\security\backup.exe
"C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
8⤵
PID:832

C:\Program Files\Java\jre7\lib\zi\backup.exe
"C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
8⤵
PID:2480

C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
9⤵
PID:756

C:\Program Files\Java\jre7\lib\zi\America\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
9⤵
PID:1764

C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
10⤵
PID:2792

C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
10⤵
PID:2900

C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
10⤵
PID:1784

C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
10⤵
PID:1056

C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
9⤵
PID:1280

C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
9⤵
PID:1656

C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
9⤵
PID:2076

C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
9⤵
PID:2784

C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
9⤵
PID:2936

C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
9⤵
PID:2228

C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
9⤵
PID:2356

C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\
9⤵
PID:2224

C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe
"C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\
9⤵
PID:2796

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
PID:3024

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
PID:2532

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
PID:1376

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
PID:2860

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
PID:1988

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
PID:788

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
PID:2028

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
7⤵
PID:1572

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:2240

C:\Program Files\Microsoft Games\FreeCell\de-DE\data.exe
"C:\Program Files\Microsoft Games\FreeCell\de-DE\data.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
7⤵
PID:976

C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
7⤵
PID:2900

C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
7⤵
PID:1124

C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
7⤵
PID:2188

C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
7⤵
PID:596

C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
7⤵
PID:1844

C:\Program Files\Microsoft Games\Hearts\backup.exe
"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
6⤵
PID:2076

C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
7⤵
PID:1236

C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
"C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
7⤵
- Modifies visibility of file extensions in Explorer
PID:940

C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
7⤵
PID:604

C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
7⤵
PID:2064

C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
7⤵
PID:2368

C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
7⤵
PID:2132

C:\Program Files\Microsoft Games\Mahjong\System Restore.exe
"C:\Program Files\Microsoft Games\Mahjong\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\
6⤵
PID:2592

C:\Program Files\Microsoft Games\Mahjong\de-DE\data.exe
"C:\Program Files\Microsoft Games\Mahjong\de-DE\data.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
7⤵
PID:2540

C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
7⤵
PID:1412

C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
7⤵
PID:2016

C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
7⤵
PID:1988

C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
7⤵
- System policy modification
PID:2608

C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
7⤵
PID:752

C:\Program Files\Microsoft Games\Minesweeper\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
6⤵
PID:2300

C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
7⤵
PID:1564

C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
7⤵
PID:1812

C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
7⤵
PID:2116

C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
7⤵
PID:2376

C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
7⤵
PID:544

C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
7⤵
PID:1852

C:\Program Files\Microsoft Games\More Games\backup.exe
"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
6⤵
PID:1912

C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
"C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
7⤵
PID:2172

C:\Program Files\Microsoft Games\More Games\en-US\backup.exe
"C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\
7⤵
PID:1488

C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
"C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
7⤵
PID:2936

C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
7⤵
PID:3048

C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe
"C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
7⤵
PID:2296

C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
7⤵
PID:1148

C:\Program Files\Microsoft Games\Multiplayer\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
6⤵
PID:2288

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
7⤵
PID:2852

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
8⤵
PID:2664

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\
8⤵
PID:2340

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\
8⤵
PID:2932

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\
8⤵
PID:800

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\
8⤵
PID:2840

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\
8⤵
PID:1668

C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\
7⤵
PID:1984

C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\
8⤵
PID:2808

C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\
8⤵
PID:2156

C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\
8⤵
PID:316

C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\
8⤵
PID:1296

C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\
8⤵
PID:1464

C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\
8⤵
PID:856

C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\
7⤵
PID:596

C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\
8⤵
PID:1320

C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\
8⤵
PID:1544

C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\
8⤵
PID:2748

C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\
8⤵
PID:2960

C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\System Restore.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\
8⤵
PID:2800

C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\
8⤵
PID:2224

C:\Program Files\Microsoft Games\Purble Place\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
6⤵
PID:2636

C:\Program Files\Microsoft Games\Purble Place\de-DE\update.exe
"C:\Program Files\Microsoft Games\Purble Place\de-DE\update.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\
7⤵
PID:2760

C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\
7⤵
PID:1600

C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\
7⤵
PID:2072

C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\
7⤵
PID:2596

C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\
7⤵
PID:2568

C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\
7⤵
PID:2008

C:\Program Files\Microsoft Games\Solitaire\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\
6⤵
PID:1512

C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\
7⤵
PID:2976

C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\
7⤵
PID:2972

C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\
7⤵
PID:2692

C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\
7⤵
PID:1884

C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\
7⤵
PID:776

C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\
7⤵
PID:2176

C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\
6⤵
PID:1984

C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\
7⤵
PID:1568

C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\
7⤵
PID:2184

C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\
7⤵
PID:2036

C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\
7⤵
PID:1488

C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\
7⤵
PID:2468

C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\
7⤵
PID:1704

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:2224

C:\Program Files\Microsoft Office\Office14\backup.exe
"C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
6⤵
PID:972

C:\Program Files\Microsoft Office\Office14\1033\backup.exe
"C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
7⤵
PID:2768

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:1600

C:\Program Files\Mozilla Firefox\browser\backup.exe
"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
6⤵
PID:2860

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
7⤵
PID:2396

C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
7⤵
PID:1988

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
6⤵
PID:1504

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
7⤵
PID:2476

C:\Program Files\Mozilla Firefox\fonts\backup.exe
"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
6⤵
PID:1252

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
6⤵
PID:1572

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
7⤵
- System policy modification
PID:1092

C:\Program Files\Mozilla Firefox\uninstall\backup.exe
"C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
6⤵
PID:324

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:1896

C:\Program Files\MSBuild\Microsoft\backup.exe
"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
6⤵
PID:2916

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
7⤵
- Drops file in Program Files directory
PID:2724

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System Restore.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\System Restore.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
8⤵
PID:2300

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
8⤵
PID:1796

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:2952

C:\Program Files\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
6⤵
PID:1592

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
7⤵
PID:2936

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
8⤵
PID:1892

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
9⤵
PID:2288

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
9⤵
PID:2796

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\update.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
9⤵
PID:1144

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
9⤵
PID:2472

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
9⤵
PID:1780

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
9⤵
PID:2772

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
8⤵
PID:2840

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
9⤵
PID:1668

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
9⤵
PID:556

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
9⤵
PID:1504

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
9⤵
PID:1708

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
9⤵
PID:1968

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
9⤵
PID:776

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
PID:1812

C:\Program Files\VideoLAN\VLC\backup.exe
"C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
6⤵
PID:1028

C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
7⤵
PID:2696

C:\Program Files\VideoLAN\VLC\locale\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
7⤵
- Drops file in Program Files directory
PID:2388

C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
8⤵
PID:2172

C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
9⤵
PID:1216

C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
8⤵
PID:2220

C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
9⤵
PID:2876

C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
8⤵
PID:2688

C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
9⤵
PID:2600

C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\
8⤵
PID:2132

C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\
9⤵
PID:2768

C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
8⤵
PID:2004

C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2596

C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
8⤵
PID:2868

C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
9⤵
PID:2860

C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
8⤵
PID:1736

C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
9⤵
PID:2992

C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
8⤵
PID:760

C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
9⤵
PID:1096

C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
8⤵
PID:2236

C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
9⤵
PID:1296

C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
8⤵
PID:2704

C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
9⤵
PID:1904

C:\Program Files\VideoLAN\VLC\locale\bn\update.exe
"C:\Program Files\VideoLAN\VLC\locale\bn\update.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
8⤵
PID:1656

C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
9⤵
PID:1236

C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
8⤵
PID:3000

C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
9⤵
PID:2404

C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
8⤵
PID:552

C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
9⤵
PID:1912

C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
8⤵
PID:596

C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
9⤵
PID:1316

C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
8⤵
PID:2216

C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
9⤵
PID:2508

C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
8⤵
PID:2072

C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
9⤵
PID:1780

C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\
8⤵
PID:1420

C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\
9⤵
PID:2136

C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
8⤵
PID:2920

C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
9⤵
PID:752

C:\Program Files\VideoLAN\VLC\locale\co\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\
8⤵
PID:2156

C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
9⤵
PID:1760

C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
8⤵
PID:1552

C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
9⤵
PID:1592

C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1504

C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
9⤵
PID:2332

C:\Program Files\VideoLAN\VLC\locale\da\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\da\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\da\
8⤵
PID:1476

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
9⤵
PID:1236

C:\Program Files\VideoLAN\VLC\locale\de\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\de\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\
8⤵
PID:2964

C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\
9⤵
PID:2100

C:\Program Files\VideoLAN\VLC\locale\el\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\
8⤵
PID:1704

C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\
9⤵
PID:2676

C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\
8⤵
PID:2796

C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\
9⤵
PID:2544

C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eo\
8⤵
PID:2472

C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\data.exe
"C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\
9⤵
PID:2052

C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
8⤵
PID:2584

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\
9⤵
PID:2868

C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\
8⤵
PID:2564

C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\
9⤵
PID:2844

C:\Program Files\VideoLAN\VLC\locale\et\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\
8⤵
PID:2284

C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\
9⤵
PID:2736

C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
8⤵
PID:2904

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\
9⤵
PID:1992

C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
8⤵
PID:1844

C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\
9⤵
PID:2624

C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
8⤵
PID:1416

C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\
9⤵
PID:2580

C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
8⤵
PID:2032

C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\
9⤵
PID:2672

C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\
8⤵
PID:2264

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\
9⤵
PID:1668

C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\
8⤵
PID:2584

C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
9⤵
PID:2380

C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
8⤵
PID:1592

C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
9⤵
PID:896

C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\
8⤵
PID:1940

C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\
9⤵
PID:1236

C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\
8⤵
PID:1420

C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
9⤵
PID:1912

C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\
8⤵
PID:616

C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\
9⤵
PID:596

C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\
8⤵
PID:2340

C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\
9⤵
PID:2988

C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
8⤵
PID:1700

C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\
9⤵
PID:532

C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
8⤵
PID:2584

C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\
9⤵
PID:1792

C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\
8⤵
PID:760

C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
9⤵
PID:1372

C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\
8⤵
PID:2776

C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\
9⤵
PID:3048

C:\Program Files\VideoLAN\VLC\locale\hy\update.exe
"C:\Program Files\VideoLAN\VLC\locale\hy\update.exe" C:\Program Files\VideoLAN\VLC\locale\hy\
8⤵
PID:2436

C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\
9⤵
PID:1624

C:\Program Files\VideoLAN\VLC\locale\id\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\
8⤵
PID:2700

C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\
9⤵
PID:2076

C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ie\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\
8⤵
PID:2824

C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\
9⤵
PID:1320

C:\Program Files\VideoLAN\VLC\locale\is\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\
8⤵
PID:2416

C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
9⤵
PID:2136

C:\Program Files\VideoLAN\VLC\locale\it\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\
8⤵
PID:2772

C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
9⤵
PID:1312

C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\
8⤵
PID:2704

C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
9⤵
PID:2936

C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\
8⤵
PID:1992

C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\
9⤵
PID:2100

C:\Program Files\VideoLAN\VLC\locale\kab\update.exe
"C:\Program Files\VideoLAN\VLC\locale\kab\update.exe" C:\Program Files\VideoLAN\VLC\locale\kab\
8⤵
PID:1928

C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\
9⤵
PID:1148

C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\
8⤵
PID:2132

C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
9⤵
PID:2912

C:\Program Files\VideoLAN\VLC\locale\km\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\km\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\
8⤵
PID:1144

C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\
9⤵
PID:2852

C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
8⤵
PID:2328

C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\
9⤵
PID:268

C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\
8⤵
PID:2752

C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\data.exe
"C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\
9⤵
PID:476

C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\
8⤵
PID:2324

C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
9⤵
PID:1528

C:\Program Files\VideoLAN\VLC\locale\ku_IQ\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ku_IQ\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ku_IQ\
8⤵
PID:3048

C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\
9⤵
PID:1236

C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
8⤵
PID:2896

C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
9⤵
PID:2764

C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\
8⤵
PID:2016

C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\
9⤵
PID:3064

C:\Program Files\VideoLAN\VLC\locale\lo\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lo\
8⤵
PID:2932

C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\
9⤵
PID:2960

C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\
8⤵
PID:1640

C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\
9⤵
PID:2868

C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\
8⤵
PID:2176

C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\
9⤵
PID:576

C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\
8⤵
PID:2160

C:\Program Files (x86)\backup.exe
"C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
4⤵
- Drops file in Program Files directory
PID:2096

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
PID:2564

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
PID:2848

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:2256

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Drops file in Program Files directory
PID:2456

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
PID:532

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
PID:332

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
PID:1632

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
PID:676

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:2716

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
PID:2660

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:3008

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
PID:2904

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:2144

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
PID:2772

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
PID:1700

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:2680

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
PID:2648

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
PID:2628

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
PID:1644

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
PID:2020

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
PID:1412

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
PID:1936

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
PID:2512

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
PID:1596

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
PID:2836

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
PID:2012

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:2816

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
PID:972

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:2376

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
PID:1028

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
PID:1844

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
PID:604

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
PID:2388

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
PID:2356

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
PID:2144

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
PID:2964

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:2640

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
PID:1512

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
9⤵
PID:1420

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:2996

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
10⤵
PID:2536

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
PID:2312

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
PID:2020

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:788

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:1724

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
PID:2136

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
PID:2912

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
PID:476

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
PID:332

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
PID:492

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
PID:1320

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
PID:1028

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
PID:2436

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
PID:888

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
PID:3008

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
PID:624

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
8⤵
PID:2024

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:2224

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
- Drops file in Program Files directory
PID:2232

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
7⤵
PID:2668

C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
7⤵
PID:2340

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
7⤵
PID:2472

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
8⤵
PID:2860

C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
7⤵
PID:800

C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
7⤵
PID:2892

C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
7⤵
PID:2080

C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
7⤵
PID:1676

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
8⤵
PID:556

C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
8⤵
PID:316

C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
8⤵
- Modifies visibility of file extensions in Explorer
PID:264

C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
8⤵
PID:1760

C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
8⤵
PID:2372

C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
8⤵
PID:2464

C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
8⤵
PID:1460

C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
8⤵
PID:2436

C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
8⤵
PID:2172

C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
8⤵
PID:1332

C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
8⤵
PID:1216

C:\Program Files (x86)\Common Files\microsoft shared\ink\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
7⤵
- Modifies visibility of file extensions in Explorer
- Drops file in Program Files directory
PID:2992

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
8⤵
PID:2504

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
8⤵
- System policy modification
PID:1416

C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
8⤵
PID:2652

C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
8⤵
PID:1948

C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
8⤵
PID:2508

C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
8⤵
PID:2744

C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2728

C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
8⤵
PID:2892

C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
8⤵
PID:1252

C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
7⤵
PID:2284

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
7⤵
PID:2740

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
8⤵
PID:2192

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
7⤵
- Drops file in Program Files directory
PID:1704

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
PID:1916

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
8⤵
PID:944

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
PID:1280

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
PID:1320

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:552

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
PID:540

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
7⤵
- Drops file in Program Files directory
PID:2888

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
8⤵
PID:1848

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
8⤵
PID:2356

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
8⤵
- Drops file in Program Files directory
PID:1528

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
9⤵
PID:2768

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
9⤵
PID:1644

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
9⤵
PID:1948

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
9⤵
PID:1428

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
9⤵
PID:2744

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
9⤵
PID:2752

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
9⤵
- System policy modification
PID:1568

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
9⤵
PID:1596

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
9⤵
PID:2848

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
9⤵
PID:1572

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
9⤵
- Modifies visibility of file extensions in Explorer
PID:704

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
9⤵
PID:2192

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
9⤵
PID:1068

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
9⤵
PID:1364

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
9⤵
PID:2696

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
9⤵
PID:1844

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
9⤵
PID:2324

C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1696

C:\Program Files (x86)\Common Files\microsoft shared\Portal\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
7⤵
PID:2572

C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
8⤵
PID:2064

C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
7⤵
PID:2600

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
7⤵
PID:1008

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
8⤵
PID:3028

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
8⤵
PID:2312

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
9⤵
PID:2672

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
7⤵
PID:2008

C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
7⤵
PID:2820

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
7⤵
PID:1568

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
8⤵
PID:1908

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
8⤵
PID:1312

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
8⤵
PID:1640

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
8⤵
PID:1968

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
8⤵
PID:1812

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
8⤵
PID:1836

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
8⤵
PID:3012

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
7⤵
PID:3020

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
8⤵
PID:2240

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
8⤵
PID:552

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
8⤵
PID:2928

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
8⤵
PID:1704

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
8⤵
PID:2604

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
8⤵
PID:2640

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
8⤵
PID:2980

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\
8⤵
PID:2588

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\
8⤵
PID:1284

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\
8⤵
PID:2540

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\
8⤵
PID:2492

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\
8⤵
PID:2460

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\
8⤵
PID:2732

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\
8⤵
PID:2056

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\
8⤵
PID:1252

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\
8⤵
PID:2848

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\
8⤵
PID:2996

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\
8⤵
PID:324

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\
8⤵
PID:1764

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\
8⤵
PID:2332

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\
8⤵
PID:856

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\
8⤵
PID:2944

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\
8⤵
PID:1372

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\
8⤵
PID:1592

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\
8⤵
PID:2336

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\
8⤵
PID:2960

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\
8⤵
PID:2688

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\
8⤵
PID:1276

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\
8⤵
PID:2132

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\
8⤵
PID:2648

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\
8⤵
PID:2664

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\
8⤵
PID:1780

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\
8⤵
PID:1376

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\
8⤵
PID:1700

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\
8⤵
PID:2500

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\
8⤵
PID:756

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\
8⤵
PID:1908

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\
8⤵
PID:2808

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\
8⤵
PID:1784

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\
8⤵
PID:976

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\
8⤵
PID:1124

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\
8⤵
PID:1512

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\
8⤵
PID:1280

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\
8⤵
PID:1844

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\
8⤵
PID:1828

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
7⤵
PID:624

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
8⤵
PID:2468

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\
8⤵
PID:2356

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\
8⤵
PID:1928

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\
8⤵
PID:1276

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\
8⤵
PID:2984

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\
8⤵
PID:2496

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
7⤵
- Drops file in Program Files directory
PID:2068

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\
8⤵
PID:380

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\
8⤵
PID:2568

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\
8⤵
PID:2460

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\
8⤵
PID:2248

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\
8⤵
PID:756

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\
8⤵
PID:2636

C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\
7⤵
PID:2592

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\
8⤵
PID:1760

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\
8⤵
PID:2088

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\
9⤵
PID:284

C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\
7⤵
PID:1068

C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\
7⤵
PID:1732

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\
7⤵
PID:1320

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\
8⤵
PID:2276

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\
9⤵
PID:2404

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\
8⤵
PID:1676

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
9⤵
PID:2468

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\
8⤵
PID:2560

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
9⤵
PID:2816

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\
9⤵
PID:3028

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\
9⤵
PID:1284

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\
9⤵
PID:2744

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\
7⤵
PID:2752

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\
8⤵
PID:1700

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\
9⤵
- Modifies visibility of file extensions in Explorer
PID:2852

C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\
7⤵
PID:2160

C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\
8⤵
PID:2848

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\
7⤵
PID:1504

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1092

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\
9⤵
PID:1948

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\
10⤵
PID:1464

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:2176

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:872

C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
7⤵
PID:856

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1896

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
- Drops file in Program Files directory
PID:3008

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
8⤵
PID:1300

C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
8⤵
PID:2572

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
8⤵
PID:2764

C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
8⤵
PID:2076

C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
8⤵
PID:3064

C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
8⤵
PID:2516

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
7⤵
PID:2016

C:\Program Files (x86)\Common Files\System\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
7⤵
PID:860

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
7⤵
PID:2872

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
7⤵
PID:1664

C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
7⤵
PID:2752

C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
7⤵
PID:1736

C:\Program Files (x86)\Common Files\System\msadc\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
7⤵
PID:1992

C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
8⤵
PID:1640

C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
8⤵
PID:1840

C:\Program Files (x86)\Common Files\System\msadc\es-ES\update.exe
"C:\Program Files (x86)\Common Files\System\msadc\es-ES\update.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
8⤵
PID:2736

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
8⤵
PID:3012

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\System Restore.exe
"C:\Program Files (x86)\Common Files\System\msadc\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
8⤵
PID:1732

C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
"C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
7⤵
PID:2212

C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe
"C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\
8⤵
PID:1656

C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
7⤵
PID:1848

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
8⤵
PID:2504

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
8⤵
PID:2272

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
8⤵
PID:1260

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
8⤵
PID:444

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
8⤵
PID:2032

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
8⤵
PID:2768

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
- Drops file in Program Files directory
PID:800

C:\Program Files (x86)\Google\CrashReports\update.exe
"C:\Program Files (x86)\Google\CrashReports\update.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:2596

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:2720

C:\Program Files (x86)\Google\Update\backup.exe
"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:2568

C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
7⤵
PID:1908

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
7⤵
PID:1900

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
8⤵
PID:2808

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
9⤵
PID:1620

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
7⤵
PID:2188

C:\Program Files (x86)\Google\Update\Install\{A0DB34BA-83CF-47F6-9C74-18E331645027}\backup.exe
"C:\Program Files (x86)\Google\Update\Install\{A0DB34BA-83CF-47F6-9C74-18E331645027}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{A0DB34BA-83CF-47F6-9C74-18E331645027}\
8⤵
PID:1372

C:\Program Files (x86)\Google\Update\Offline\backup.exe
"C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
7⤵
PID:1544

C:\Program Files (x86)\Internet Explorer\backup.exe
"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:2280

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:552

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:1276

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
PID:1240

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
6⤵
PID:1952

C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
6⤵
PID:2560

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
6⤵
PID:860

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2136

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:2628

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
6⤵
PID:2192

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
7⤵
PID:752

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
8⤵
PID:760

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
8⤵
PID:1836

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
9⤵
PID:2776

C:\Program Files (x86)\Microsoft Office\System Restore.exe
"C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:2708

C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
6⤵
- Drops file in Program Files directory
PID:2024

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
7⤵
PID:2624

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
7⤵
PID:972

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
8⤵
PID:2516

C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
6⤵
PID:2772

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
7⤵
PID:1892

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
7⤵
PID:756

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
7⤵
PID:2244

C:\Program Files (x86)\Microsoft Office\MEDIA\data.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\data.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
6⤵
PID:2012

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\
7⤵
PID:2936

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\
8⤵
PID:1568

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
7⤵
- Drops file in Program Files directory
PID:896

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\
8⤵
PID:2904

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\
8⤵
PID:800

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\update.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\update.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\
8⤵
PID:2600

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\
8⤵
PID:552

C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
6⤵
- Drops file in Program Files directory
PID:2352

C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\
7⤵
PID:1376

C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\
8⤵
PID:2080

C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\
8⤵
PID:2280

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\
8⤵
PID:2160

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\
9⤵
- Drops file in Program Files directory
PID:2260

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\
10⤵
PID:2168

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\
10⤵
PID:856

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\data.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\
10⤵
PID:640

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\
10⤵
PID:540

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\update.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\
10⤵
PID:2272

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\
10⤵
PID:3020

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\
10⤵
PID:2544

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\
10⤵
PID:2076

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\
10⤵
PID:2932

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\
10⤵
PID:2732

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\
10⤵
PID:2792

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\
10⤵
PID:2712

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\
10⤵
PID:2940

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\
10⤵
PID:1904

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\data.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\
10⤵
PID:3060

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\
8⤵
PID:1460

C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\
8⤵
PID:640

C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\
8⤵
PID:1560

C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1036\
7⤵
- System policy modification
PID:624

C:\Program Files (x86)\Microsoft Office\Office14\3082\data.exe
"C:\Program Files (x86)\Microsoft Office\Office14\3082\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\3082\
7⤵
PID:2580

C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\
7⤵
PID:2768

C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\
7⤵
PID:2912

C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\
7⤵
PID:2892

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\
7⤵
PID:1944

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\
8⤵
PID:264

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\
8⤵
PID:2380

C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\
7⤵
PID:1632

C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\
7⤵
- System policy modification
PID:2300

C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\
8⤵
PID:2308

C:\Users\data.exe
C:\Users\data.exe C:\Users\
4⤵
PID:2020

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
PID:2864

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:1800

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:2012

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:1884

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:1272

C:\Users\Admin\Favorites\backup.exe
C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
6⤵
PID:2608

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
PID:2332

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:940

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:2680

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:2368

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:2652

C:\Users\Admin\Videos\update.exe
C:\Users\Admin\Videos\update.exe C:\Users\Admin\Videos\
6⤵
PID:468

C:\Users\Public\System Restore.exe
"C:\Users\Public\System Restore.exe" C:\Users\Public\
5⤵
PID:2916

C:\Users\Public\Documents\data.exe
C:\Users\Public\Documents\data.exe C:\Users\Public\Documents\
6⤵
PID:380

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:2728

C:\Users\Public\Music\data.exe
C:\Users\Public\Music\data.exe C:\Users\Public\Music\
6⤵
PID:1468

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
PID:1312

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:576

C:\Users\Public\Pictures\Sample Pictures\backup.exe
"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
7⤵
PID:1632

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
PID:1732

C:\Users\Public\Recorded TV\Sample Media\backup.exe
"C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
7⤵
PID:2308

C:\Users\Public\Videos\System Restore.exe
"C:\Users\Public\Videos\System Restore.exe" C:\Users\Public\Videos\
6⤵
PID:1216

C:\Users\Public\Videos\Sample Videos\backup.exe
"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
7⤵
PID:1676

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2876

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:2392

C:\Windows\AppCompat\backup.exe
C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
5⤵
PID:1536

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
PID:1636

C:\Windows\AppPatch\AppPatch64\backup.exe
C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
6⤵
PID:3024

C:\Windows\AppPatch\Custom\backup.exe
C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
6⤵
PID:2424

C:\Windows\AppPatch\Custom\Custom64\backup.exe
C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
7⤵
PID:1668

C:\Windows\AppPatch\de-DE\data.exe
C:\Windows\AppPatch\de-DE\data.exe C:\Windows\AppPatch\de-DE\
6⤵
PID:1056

C:\Windows\AppPatch\en-US\backup.exe
C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
6⤵
PID:2088

C:\Windows\AppPatch\es-ES\backup.exe
C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
6⤵
PID:968

C:\Windows\AppPatch\fr-FR\System Restore.exe
"C:\Windows\AppPatch\fr-FR\System Restore.exe" C:\Windows\AppPatch\fr-FR\
6⤵
PID:2748

C:\Windows\AppPatch\it-IT\backup.exe
C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
6⤵
PID:1048

C:\Windows\AppPatch\ja-JP\backup.exe
C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
6⤵
PID:1236

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
- Drops file in Windows directory
PID:2604

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
6⤵
- Drops file in Windows directory
PID:768

C:\Windows\assembly\GAC\ADODB\backup.exe
C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
7⤵
PID:3064

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2648

C:\Windows\assembly\GAC\Extensibility\backup.exe
C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
7⤵
PID:3008

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2828

C:\Windows\assembly\GAC\Microsoft.Ink\data.exe
C:\Windows\assembly\GAC\Microsoft.Ink\data.exe C:\Windows\assembly\GAC\Microsoft.Ink\
7⤵
PID:1724

C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
8⤵
PID:2740

C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
8⤵
PID:2380

C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
7⤵
PID:2848

C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:888

C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
7⤵
PID:872

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:1488

C:\Windows\assembly\GAC\mscomctl\backup.exe
C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
7⤵
PID:2776

C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
8⤵
PID:1636

C:\Windows\assembly\GAC\MSDATASRC\backup.exe
C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
7⤵
PID:1624

C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:3028

C:\Windows\assembly\GAC\stdole\backup.exe
C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
7⤵
PID:1428

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2892

C:\Windows\assembly\GAC_32\backup.exe
C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
6⤵
PID:2992

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe
C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
7⤵
PID:3024

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
8⤵
- System policy modification
PID:1468

C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe
C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\
7⤵
PID:1272

C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
8⤵
PID:2088

C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
7⤵
PID:2736

C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
8⤵
PID:2724

C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
7⤵
PID:2632

C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\update.exe
C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\update.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\
8⤵
PID:1992

C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
7⤵
PID:2688

C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
8⤵
PID:2220

C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
7⤵
PID:1484

C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\
8⤵
PID:1996

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
7⤵
PID:2084

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
8⤵
PID:756

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\update.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\update.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
7⤵
- System policy modification
PID:704

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
8⤵
PID:2692

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\
8⤵
PID:2512

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\
8⤵
PID:1552

C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\
8⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\CRX_INSTALL\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\CRX_INSTALL\
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548

C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\CRX_INSTALL\backup.exe
C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\CRX_INSTALL\
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:544

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\CRX_INSTALL\backup.exe
Filesize
296KB

MD5
956d290565848a8ee59440671a5bc313

SHA1
ea18a0ac98c854bf9602df88a5651d0088e2ea71

SHA256
3c3eac1cf81510739b8b7155d0d6c85f81c7d009cf766681f7953dbcb8ec2346

SHA512
9110937e6c2466d5fc423f08d744f3fe134a5d9b1b8392cfa79fdeed9674f0f65913336c954012960593b365bd6af249ac19e9e31b4a6e606e418d444032b9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip
Filesize
80KB

MD5
39cd1656faccc2b44290524c67a53678

SHA1
59203d8ca815105cc956143c083fdb011042826a

SHA256
dbbff5a4d339f1dc813d2093f11ae8e3c6ae918f5163a9b1f4a452aee41a800f

SHA512
93c71899471a782ba866a486b735cde7cd1570807a2bed5618363c87075039cd1b5d018104ff45c72a2c91c4ac9c27975d72e00d9f0bd7ff53cb6284948c9059

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip
Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe
Filesize
296KB

MD5
cc6833fb545114fad1ed54e091f04e18

SHA1
841ce36e9d2ca82e17afb1cde78d8b12736d1c79

SHA256
320c673250b918bae7a8e7fe14c50de68a18a7c3b0fe9cf4dfb1660db58ec984

SHA512
d0826d9ed6cab157c8748c010be3c4b146b8897125bc19af14366ed8e56f464ddff814f5618373e0f030a2ca6885149c07d8215d5072a296f7212ef3923f3f42

Download Submit
\PerfLogs\Admin\backup.exe
Filesize
296KB

MD5
8929ceac6428e64562248a3149b13549

SHA1
f1bf3e1589926c44fe6de6ca683554eadbc73e2e

SHA256
171b08d37649134d866c8ac37bd7307c067a602fc4efa32c270f7b246907626e

SHA512
8fa5cb4dca265a606ac1d3ad33ba7ad9821279844d8bbfac116b849df05d34bf19282da00c03482642e31ae326f3c0a751fa9447a224a2086bfd9a0121659ca8

Download Submit
\PerfLogs\backup.exe
Filesize
296KB

MD5
cd54d42a57225b2620b01c3e73390365

SHA1
43babbea217b2cd1e5f4d46a72ccb676c71cf258

SHA256
dc1ad3ed78daf27c0e02fe2d0d5863e0e159b7c1485ad7410b0a5de90ec7a927

SHA512
cb0c86eab92e488c0290fcce865410c8f760ad52a391f7270a465e1b5e329b99e1b1a44ef37ae70539d98220468bb1caa8b8b387fc2cd6aebfc5eac86a00d7f0

Download Submit
\Program Files\7-Zip\Lang\backup.exe
Filesize
296KB

MD5
e0c5b4d62009779bd74c1265396a2ed1

SHA1
91c424e6eca89f40ade0b635c24554c8e626d8be

SHA256
a99d3247063efcdc1f12b8a3060ff5c8879e2ae4c13b6dad17ddccbb8456c160

SHA512
566ffaf11c6e7199b9279ed1af00fd5917ae5798945425370ad876cd23cf7217c5b3118feaf11f2029c8490f4152d6f34f487f5b2af271aeddc6ab5854e91150

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe
Filesize
296KB

MD5
cd103989fe4a22f3345c18e5d03d76c3

SHA1
8876bfab27ee21d0cd0c973164a30f7483ee6228

SHA256
a3baf281e071820ffc60efac53facf102a401550bdf1c1ff0512d2cf2f6f4166

SHA512
400db6dd236f6f29d7eac6ad14ee89b0e5e5228485316a5b6545b0b81a8807b4e7b9dd43efdc518f96934d04c94a60163979a1ff7c6a35d8001b0c48d45f821e

Download Submit
\Program Files\Common Files\backup.exe
Filesize
296KB

MD5
6b57ca69a9538c79972c68f047655385

SHA1
906f75c4082592bf2d2ffd628e57a1e2e7643d0d

SHA256
456298d260b5f761a842485170a20bae7305cb870111ae5e2276882bf2065c53

SHA512
b3d717cd43c226952ed63b5cc8c15e2e18c0b6b859993efd144692c034d05f23030282dd3b3c5d968939321a95acaab7e278f5412a50031c17c08f953155465a

Download Submit
\Users\Admin\AppData\Local\Temp\411840959\backup.exe
Filesize
296KB

MD5
697b64dfcb5745d3c6c925d4fba5ca66

SHA1
911ec69851ea32b1cf9abb12eadef2e8521bbc39

SHA256
dc10a0f5831a6ded6cf5068e7a70ace741178b4d12a77b4be8644035cd1bc905

SHA512
dc653194a395a92ff6c7dd46fcf856a65159928a857c1169ac466f5e1824080bf646b43692e3a3044ac1a976e06e78ad2fa5712ef59494d8735b28dc4a46f04c

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir816_1791373456\CRX_INSTALL\backup.exe
Filesize
296KB

MD5
24c04aacd5c7cb269b3240ca95e896d2

SHA1
1321eec233a8cceef7535891ced795664be2038c

SHA256
a7bacc41342f49a03c3e029164816bc90c73eb4647d1ff26b718477fe6692294

SHA512
cff1155afed304a19b32ef4b5d8b3fd33293e753858c0b6d4961ce03d2d72059c99b5a9b32ed3af354134373c4d52416950fdd5a8040bb987c1688c599eb202a

Download Submit
\Users\Admin\AppData\Local\Temp\scoped_dir816_2026301031\backup.exe
Filesize
296KB

MD5
43b2a916e08bace43015b6b1b134af27

SHA1
7182550c608590e71e39fd05894e71da5323cbd4

SHA256
4532a95da01148dd733612afa85e543f98d67e32db49a51b9df40feb4c348c2f

SHA512
0a2a2e4caff39d09883975c17ccc432dbb954a0a5f08b0313e590e838952e403f10a4b80cca69afeabbbc9be1a7fc9217480de79d8746d1dbc7768dde98b95fb

Download Submit
memory/268-219-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/268-221-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/328-469-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/328-464-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/332-2936-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/552-294-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/552-290-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/556-7625-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/556-7626-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/616-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/616-46-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/616-107-0x0000000002AC0000-0x0000000002B17000-memory.dmp

Filesize
348KB

Download
memory/616-23-0x0000000002AC0000-0x0000000002B17000-memory.dmp

Filesize
348KB

Download
memory/616-101-0x0000000002AC0000-0x0000000002B17000-memory.dmp

Filesize
348KB

Download
memory/616-166-0x0000000002AC0000-0x0000000002B17000-memory.dmp

Filesize
348KB

Download
memory/616-7-0x0000000002AC0000-0x0000000002B17000-memory.dmp

Filesize
348KB

Download
memory/640-7146-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/756-4678-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/788-13865-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/788-13862-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/880-192-0x0000000002650000-0x00000000026A7000-memory.dmp

Filesize
348KB

Download
memory/880-165-0x0000000002650000-0x00000000026A7000-memory.dmp

Filesize
348KB

Download
memory/880-230-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1236-3612-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1276-6071-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1276-6070-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1284-5215-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1284-5216-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1320-10023-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1416-11628-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1428-11252-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1604-271-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1604-275-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1608-11731-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1608-11732-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1612-494-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1636-123-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1656-14865-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1656-3286-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1676-503-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1748-12106-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1764-4450-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1764-508-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1764-512-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1780-438-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1888-284-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1888-282-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-270-0x0000000000390000-0x00000000003E7000-memory.dmp

Filesize
348KB

Download
memory/1964-264-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1964-204-0x0000000000390000-0x00000000003E7000-memory.dmp

Filesize
348KB

Download
memory/1976-59-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1976-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2000-456-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2000-455-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2012-15110-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2012-15112-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2036-2459-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2036-2455-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2068-51-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2068-47-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2132-347-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-418-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-499-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-320-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2132-265-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2132-474-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-375-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-365-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-427-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-517-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2132-309-0x0000000000540000-0x0000000000597000-memory.dmp

Filesize
348KB

Download
memory/2136-5565-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2136-2891-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2136-2889-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2136-315-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2168-342-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2168-340-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2192-205-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2192-224-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2228-333-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2228-331-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-183-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2280-241-0x0000000002730000-0x0000000002787000-memory.dmp

Filesize
348KB

Download
memory/2280-289-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2320-252-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2320-256-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2352-13125-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2404-324-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2468-251-0x0000000001D30000-0x0000000001D87000-memory.dmp

Filesize
348KB

Download
memory/2468-308-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2468-316-0x0000000001D30000-0x0000000001D87000-memory.dmp

Filesize
348KB

Download
memory/2468-310-0x0000000001D30000-0x0000000001D87000-memory.dmp

Filesize
348KB

Download
memory/2472-422-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2476-12276-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2476-12282-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2484-478-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2496-13465-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2496-397-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2500-4664-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2500-4663-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2504-5744-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2516-97-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2548-96-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2560-14659-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2560-405-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2584-133-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2648-371-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2648-366-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2668-76-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-352-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2680-348-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2684-360-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2696-100-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2712-11236-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2712-11238-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2724-445-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2724-447-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2736-487-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2748-388-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2768-62-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2796-11986-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2808-14365-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2832-13387-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2836-179-0x00000000005F0000-0x0000000000647000-memory.dmp

Filesize
348KB

Download
memory/2836-184-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2888-13329-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2892-462-0x0000000002B50000-0x0000000002BA7000-memory.dmp

Filesize
348KB

Download
memory/2892-378-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2892-384-0x0000000002B50000-0x0000000002BA7000-memory.dmp

Filesize
348KB

Download
memory/2892-468-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2892-463-0x0000000002B50000-0x0000000002BA7000-memory.dmp

Filesize
348KB

Download
memory/2892-454-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2892-393-0x0000000002B50000-0x0000000002BA7000-memory.dmp

Filesize
348KB

Download
memory/2928-12397-0x0000000076B20000-0x0000000076C1A000-memory.dmp

Filesize
1000KB

Download
memory/2928-12396-0x0000000076C20000-0x0000000076D3F000-memory.dmp

Filesize
1.1MB

Download
memory/2928-12752-0x0000000076C20000-0x0000000076D3F000-memory.dmp

Filesize
1.1MB

Download
memory/2928-12753-0x0000000076B20000-0x0000000076C1A000-memory.dmp

Filesize
1000KB

Download
memory/2928-2751-0x0000000076B20000-0x0000000076C1A000-memory.dmp

Filesize
1000KB

Download
memory/2928-2752-0x0000000002B30000-0x0000000002C40000-memory.dmp

Filesize
1.1MB

Download
memory/2928-2750-0x0000000076C20000-0x0000000076D3F000-memory.dmp

Filesize
1.1MB

Download
memory/2928-4229-0x0000000076C20000-0x0000000076D3F000-memory.dmp

Filesize
1.1MB

Download
memory/2928-4230-0x0000000076B20000-0x0000000076C1A000-memory.dmp

Filesize
1000KB

Download
memory/2976-413-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2984-4896-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2988-122-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3004-303-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3004-301-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3056-28-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads