5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
Size

72KB
MD5

279627e4ca4974997d5b85d6e48c0ea0
SHA1

ce93607da3080ab6238168b839ac19bcc16586c1
SHA256

5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773
SHA512

e58b3c52ec7a504d5b493d75692cb38346574b2271c8844bba941942957687f2ebc3a303cca784e2ee98cb70584903a138fd471a4d32b86818288f3bef6a3989
SSDEEP

384:i6wayA+1mwnA353BXR+oGfP5d/ZBHXME+l93qPAqee/w6yJ/wWD+S83BXR+oGf2t:ipQNwC3BEddsEqOt/hyJF+x3BEJwRrB

Score

10^/10

evasion

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exeupdate.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"

Disables RegEdit via registry modification 64 IoCs

evasion

Processes:

backup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"

Drops file in Drivers directory 14 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\update.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\data.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\data.exe
File opened for modification	C:\Windows\SysWOW64\drivers\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\backup.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\backup.exe

Executes dropped EXE 64 IoCs

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exe

pid	process
856	backup.exe
2716	backup.exe
1280	backup.exe
2684	backup.exe
2760	backup.exe
2792	backup.exe
2704	backup.exe
1980	backup.exe
2740	backup.exe
2888	backup.exe
2408	backup.exe
1764	backup.exe
2328	backup.exe
2428	backup.exe
2280	data.exe
2768	backup.exe
2836	backup.exe
784	backup.exe
584	backup.exe
832	backup.exe
1668	backup.exe
2400	data.exe
1932	backup.exe
1548	backup.exe
1612	System Restore.exe
2868	backup.exe
916	backup.exe
704	backup.exe
1944	backup.exe
2968	backup.exe
3004	backup.exe
1424	backup.exe
2060	backup.exe
2372	backup.exe
1952	backup.exe
2144	backup.exe
2664	backup.exe
2592	backup.exe
2824	backup.exe
2576	backup.exe
2468	backup.exe
2616	backup.exe
2440	backup.exe
2992	backup.exe
2908	backup.exe
2544	System Restore.exe
2540	backup.exe
2928	backup.exe
2388	backup.exe
1688	backup.exe
848	backup.exe
1332	backup.exe
2332	backup.exe
2872	backup.exe
536	backup.exe
572	backup.exe
1916	backup.exe
1164	data.exe
1488	backup.exe
1824	backup.exe
1856	backup.exe
2788	backup.exe
1400	data.exe
2084	backup.exe

Loads dropped DLL 64 IoCs

Processes:

5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exe

pid	process
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
1980	backup.exe
1980	backup.exe
2740	backup.exe
2740	backup.exe
1980	backup.exe
1980	backup.exe
2408	backup.exe
2408	backup.exe
1764	backup.exe
1764	backup.exe
2408	backup.exe
2408	backup.exe
2428	backup.exe
2428	backup.exe
2280	data.exe
2280	data.exe
2280	data.exe
2280	data.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
2836	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe
1944	backup.exe

Drops file in System32 directory 64 IoCs

Processes:

backup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\backup.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\data.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0014\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0c0c\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkLoadBalancing-Core\backup.exe
File opened for modification	C:\Windows\SysWOW64\config\Journal\backup.exe
File opened for modification	C:\Windows\SysWOW64\de\backup.exe
File opened for modification	C:\Windows\SysWOW64\IME\imekr8\data.exe
File opened for modification	C:\Windows\SysWOW64\backup.exe	backup.exe
File opened for modification	C:\Windows\SysWOW64\icsxml\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0804\backup.exe
File opened for modification	C:\Windows\SysWOW64\Msdtc\Trace\backup.exe
File opened for modification	C:\Windows\SysWOW64\com\it-IT\backup.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\backup.exe
File opened for modification	C:\Windows\SysWOW64\Dism\en-US\backup.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMESC5\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0011\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-shmig-DL\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc\backup.exe
File opened for modification	C:\Windows\SysWOW64\AdvancedInstallers\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-PerformanceCounterInfrastructure-DL\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\en-US\backup.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\backup.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\backup.exe
File opened for modification	C:\Windows\SysWOW64\hr-HR\backup.exe
File opened for modification	C:\Windows\SysWOW64\com\en-US\backup.exe
File opened for modification	C:\Windows\SysWOW64\config\update.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\update.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\backup.exe
File opened for modification	C:\Windows\SysWOW64\com\es-ES\backup.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\System Restore.exe
File opened for modification	C:\Windows\SysWOW64\0409\backup.exe
File opened for modification	C:\Windows\SysWOW64\catroot2\backup.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10\applets\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-TapiSetup\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\it-IT\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0404\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0015\backup.exe
File opened for modification	C:\Windows\SysWOW64\LogFiles\backup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\040c\backup.exe
File opened for modification	C:\Windows\SysWOW64\migration\backup.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasServer-MigPlugin\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IE-ESC\backup.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0409\update.exe
File opened for modification	C:\Windows\SysWOW64\0407\data.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0003\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0024\backup.exe
File opened for modification	C:\Windows\SysWOW64\MUI\backup.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\backup.exe
File opened for modification	C:\Windows\SysWOW64\migration\en-US\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasConnectionManager\backup.exe
File opened for modification	C:\Windows\SysWOW64\DriverStore\backup.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0816\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-International-Core-DL\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-international-core\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-msmq-messagingcoreservice\backup.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\backup.exe

Drops file in Program Files directory 64 IoCs

Processes:

data.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe	data.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\data.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe	update.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\de-DE\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\data.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\backup.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\backup.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\backup.exe

Drops file in Windows directory 64 IoCs

Processes:

backup.exebackup.exe

description	ioc	process
File opened for modification	C:\Windows\ehome\wow\de-DE\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\90cd177df2fc13d88c401b6b53a121b8\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\fac6392e83ef7e777b78933e057c9546\backup.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 3.0.0.0\0410\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\e2e42e6b0f65a618da8ab7235c27faf0\backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\inf\ASP.NET\0012\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1035\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.SqlXml\backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\it\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MUI\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\backup.exe
File opened for modification	C:\Windows\schemas\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiActivScp\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\backup.exe
File opened for modification	C:\Windows\inf\RemoteAccess\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\fr\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Annotations\v4.0_4.0.0.0__b03f5f7f11d50a3a\update.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel\da1a143bfdb77511e8b81e41482b73d7\backup.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\System Restore.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\backup.exe
File opened for modification	C:\Windows\diagnostics\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\e588691224a17737f3a164cc2d46c156\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\System Restore.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_fr_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\c37de755ec3ee73d604bc11f85599177\backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\data.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Contract.v9.0\9.0.0.0__b03f5f7f11d50a3a\update.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\618ab8996b43e841efdcfb273393fc02\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Core\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_fr_31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\backup.exe
File opened for modification	C:\Windows\schemas\EAPHost\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Servd1dec626#\9fab28f14be5a0da526b1ceaaa04a4c3\backup.exe
File opened for modification	C:\Windows\inf\ASP.NET\001F\backup.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0804\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Design\e54657ea70d60e1ad13dc5f818f32e90\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehiActivScp\6.1.0.0__31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf293040f3a93afa1ea782487acae816\backup.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Desktop\backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.AddInManager\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\update.exe
File opened for modification	C:\Windows\inf\UGatherer\0409\backup.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Classic\v4.0_4.0.0.0__31bf3856ad364e35\backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\naphlpr\backup.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\update.exe
File opened for modification	C:\Windows\security\backup.exe	backup.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1029\backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe

pid process

2524 5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedata.exe

pid	process
2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
856	backup.exe
2716	backup.exe
1280	backup.exe
2684	backup.exe
2760	backup.exe
2792	backup.exe
2704	backup.exe
1980	backup.exe
2740	backup.exe
2888	backup.exe
2408	backup.exe
1764	backup.exe
2328	backup.exe
2428	backup.exe
2280	data.exe
2768	backup.exe
2836	backup.exe
784	backup.exe
584	backup.exe
832	backup.exe
1668	backup.exe
2400	data.exe
1932	backup.exe
1548	backup.exe
1612	System Restore.exe
2868	backup.exe
916	backup.exe
704	backup.exe
1944	backup.exe
2968	backup.exe
3004	backup.exe
1424	backup.exe
2060	backup.exe
2372	backup.exe
1952	backup.exe
2144	backup.exe
2664	backup.exe
2592	backup.exe
2824	backup.exe
2576	backup.exe
2468	backup.exe
2616	backup.exe
2440	backup.exe
2992	backup.exe
2908	backup.exe
2544	System Restore.exe
2540	backup.exe
2928	backup.exe
2388	backup.exe
1688	backup.exe
848	backup.exe
1332	backup.exe
2332	backup.exe
2872	backup.exe
536	backup.exe
572	backup.exe
1916	backup.exe
1164	data.exe
1488	backup.exe
1824	backup.exe
1856	backup.exe
2788	backup.exe
1400	data.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exe

description	pid	process	target process
PID 2524 wrote to memory of 856	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 856	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 856	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 856	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2716	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2716	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2716	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2716	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 1280	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 1280	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 1280	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 1280	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2684	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2684	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2684	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2684	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2760	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2760	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2760	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2760	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2792	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2792	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2792	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2792	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2704	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2704	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2704	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 2524 wrote to memory of 2704	2524	5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe	backup.exe
PID 856 wrote to memory of 1980	856	backup.exe	backup.exe
PID 856 wrote to memory of 1980	856	backup.exe	backup.exe
PID 856 wrote to memory of 1980	856	backup.exe	backup.exe
PID 856 wrote to memory of 1980	856	backup.exe	backup.exe
PID 1980 wrote to memory of 2740	1980	backup.exe	backup.exe
PID 1980 wrote to memory of 2740	1980	backup.exe	backup.exe
PID 1980 wrote to memory of 2740	1980	backup.exe	backup.exe
PID 1980 wrote to memory of 2740	1980	backup.exe	backup.exe
PID 2740 wrote to memory of 2888	2740	backup.exe	backup.exe
PID 2740 wrote to memory of 2888	2740	backup.exe	backup.exe
PID 2740 wrote to memory of 2888	2740	backup.exe	backup.exe
PID 2740 wrote to memory of 2888	2740	backup.exe	backup.exe
PID 1980 wrote to memory of 2408	1980	backup.exe	backup.exe
PID 1980 wrote to memory of 2408	1980	backup.exe	backup.exe
PID 1980 wrote to memory of 2408	1980	backup.exe	backup.exe
PID 1980 wrote to memory of 2408	1980	backup.exe	backup.exe
PID 2408 wrote to memory of 1764	2408	backup.exe	backup.exe
PID 2408 wrote to memory of 1764	2408	backup.exe	backup.exe
PID 2408 wrote to memory of 1764	2408	backup.exe	backup.exe
PID 2408 wrote to memory of 1764	2408	backup.exe	backup.exe
PID 1764 wrote to memory of 2328	1764	backup.exe	backup.exe
PID 1764 wrote to memory of 2328	1764	backup.exe	backup.exe
PID 1764 wrote to memory of 2328	1764	backup.exe	backup.exe
PID 1764 wrote to memory of 2328	1764	backup.exe	backup.exe
PID 2408 wrote to memory of 2428	2408	backup.exe	backup.exe
PID 2408 wrote to memory of 2428	2408	backup.exe	backup.exe
PID 2408 wrote to memory of 2428	2408	backup.exe	backup.exe
PID 2408 wrote to memory of 2428	2408	backup.exe	backup.exe
PID 2428 wrote to memory of 2280	2428	backup.exe	data.exe
PID 2428 wrote to memory of 2280	2428	backup.exe	data.exe
PID 2428 wrote to memory of 2280	2428	backup.exe	data.exe
PID 2428 wrote to memory of 2280	2428	backup.exe	data.exe
PID 2280 wrote to memory of 2768	2280	data.exe	backup.exe
PID 2280 wrote to memory of 2768	2280	data.exe	backup.exe
PID 2280 wrote to memory of 2768	2280	data.exe	backup.exe
PID 2280 wrote to memory of 2768	2280	data.exe	backup.exe

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

Processes:

backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"

C:\Users\Admin\AppData\Local\Temp\5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe
"C:\Users\Admin\AppData\Local\Temp\5edad25dcb8ad2cf2d0b8ef41de6580a33fc28461bc47738fb56b8cc11495773.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\1928637587\backup.exe
C:\Users\Admin\AppData\Local\Temp\1928637587\backup.exe C:\Users\Admin\AppData\Local\Temp\1928637587\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856

C:\backup.exe
\backup.exe \
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\PerfLogs\backup.exe
C:\PerfLogs\backup.exe C:\PerfLogs\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2740

C:\PerfLogs\Admin\backup.exe
C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Program Files\backup.exe
"C:\Program Files\backup.exe" C:\Program Files\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files\7-Zip\backup.exe
"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764

C:\Program Files\7-Zip\Lang\backup.exe
"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Program Files\Common Files\backup.exe
"C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428

C:\Program Files\Common Files\Microsoft Shared\data.exe
"C:\Program Files\Common Files\Microsoft Shared\data.exe" C:\Program Files\Common Files\Microsoft Shared\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280

C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:784

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:584

C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:832

C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400

C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612

C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:704

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2592

C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
8⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928

C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:848

C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:536

C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:572

C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488

C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
8⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2788

C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe
"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2084

C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
8⤵
PID:876

C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
8⤵
PID:1632

C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
8⤵
PID:2860

C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
8⤵
PID:964

C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
8⤵
PID:2208

C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe
"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:1712

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
7⤵
PID:1256

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
8⤵
PID:2088

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:1504

C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
7⤵
PID:2184

C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
7⤵
PID:1600

C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
8⤵
PID:1432

C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\update.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
8⤵
PID:2588

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
8⤵
PID:2656

C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
8⤵
PID:2644

C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
8⤵
PID:1944

C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
8⤵
PID:2824

C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
7⤵
PID:2576

C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
8⤵
PID:2452

C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
8⤵
- Disables RegEdit via registry modification
PID:2616

C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
8⤵
PID:2440

C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
8⤵
PID:2992

C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
8⤵
PID:2676

C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
8⤵
PID:2652

C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
7⤵
PID:1972

C:\Program Files\Common Files\Microsoft Shared\VGX\data.exe
"C:\Program Files\Common Files\Microsoft Shared\VGX\data.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
7⤵
PID:2884

C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
7⤵
PID:1660

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
8⤵
PID:2316

C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
9⤵
PID:1960

C:\Program Files\Common Files\Services\backup.exe
"C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
6⤵
PID:1624

C:\Program Files\Common Files\SpeechEngines\backup.exe
"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
6⤵
PID:1804

C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
7⤵
PID:2940

C:\Program Files\Common Files\System\backup.exe
"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
6⤵
- Modifies visibility of file extensions in Explorer
PID:2096

C:\Program Files\Common Files\System\ado\backup.exe
"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
7⤵
PID:2296

C:\Program Files\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
8⤵
PID:268

C:\Program Files\Common Files\System\ado\en-US\update.exe
"C:\Program Files\Common Files\System\ado\en-US\update.exe" C:\Program Files\Common Files\System\ado\en-US\
8⤵
PID:1476

C:\Program Files\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
8⤵
PID:568

C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
8⤵
PID:1488

C:\Program Files\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
8⤵
PID:1140

C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
8⤵
PID:444

C:\Program Files\Common Files\System\de-DE\System Restore.exe
"C:\Program Files\Common Files\System\de-DE\System Restore.exe" C:\Program Files\Common Files\System\de-DE\
7⤵
PID:1156

C:\Program Files\Common Files\System\en-US\backup.exe
"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
7⤵
PID:1400

C:\Program Files\Common Files\System\es-ES\backup.exe
"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
7⤵
PID:968

C:\Program Files\Common Files\System\fr-FR\data.exe
"C:\Program Files\Common Files\System\fr-FR\data.exe" C:\Program Files\Common Files\System\fr-FR\
7⤵
PID:1868

C:\Program Files\Common Files\System\it-IT\backup.exe
"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
7⤵
PID:2424

C:\Program Files\Common Files\System\ja-JP\backup.exe
"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
7⤵
PID:2860

C:\Program Files\Common Files\System\msadc\backup.exe
"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
7⤵
PID:1064

C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
8⤵
PID:2208

C:\Program Files\Common Files\System\msadc\en-US\data.exe
"C:\Program Files\Common Files\System\msadc\en-US\data.exe" C:\Program Files\Common Files\System\msadc\en-US\
8⤵
PID:992

C:\Program Files\Common Files\System\msadc\es-ES\update.exe
"C:\Program Files\Common Files\System\msadc\es-ES\update.exe" C:\Program Files\Common Files\System\msadc\es-ES\
8⤵
PID:2856

C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
8⤵
PID:2864

C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
8⤵
PID:908

C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
8⤵
PID:1796

C:\Program Files\Common Files\System\Ole DB\backup.exe
"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
7⤵
PID:2748

C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
8⤵
PID:2716

C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
8⤵
PID:2380

C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
8⤵
PID:2816

C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
8⤵
PID:2812

C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
8⤵
PID:3012

C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2580

C:\Program Files\DVD Maker\backup.exe
"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
5⤵
- Drops file in Program Files directory
PID:2772

C:\Program Files\DVD Maker\de-DE\System Restore.exe
"C:\Program Files\DVD Maker\de-DE\System Restore.exe" C:\Program Files\DVD Maker\de-DE\
6⤵
PID:2240

C:\Program Files\DVD Maker\en-US\backup.exe
"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
6⤵
PID:2148

C:\Program Files\DVD Maker\es-ES\backup.exe
"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
6⤵
PID:2244

C:\Program Files\DVD Maker\fr-FR\backup.exe
"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
6⤵
PID:1656

C:\Program Files\DVD Maker\it-IT\backup.exe
"C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
6⤵
PID:2892

C:\Program Files\DVD Maker\ja-JP\backup.exe
"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
6⤵
PID:2920

C:\Program Files\DVD Maker\Shared\backup.exe
"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
6⤵
PID:2224

C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
7⤵
- Drops file in Program Files directory
PID:332

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
8⤵
PID:1976

C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
8⤵
PID:848

C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
8⤵
PID:2280

C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
8⤵
PID:1624

C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
8⤵
PID:1520

C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
8⤵
PID:1804

C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
8⤵
PID:2420

C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
8⤵
PID:1920

C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\System Restore.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
8⤵
PID:844

C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
8⤵
PID:3008

C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
8⤵
PID:2936

C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
8⤵
PID:408

C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
8⤵
PID:2944

C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
8⤵
PID:1396

C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
8⤵
PID:1536

C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\data.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\data.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
8⤵
PID:1344

C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
8⤵
PID:2132

C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
8⤵
PID:2868

C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
8⤵
PID:920

C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
8⤵
PID:704

C:\Program Files\Google\backup.exe
"C:\Program Files\Google\backup.exe" C:\Program Files\Google\
5⤵
PID:1560

C:\Program Files\Google\Chrome\data.exe
"C:\Program Files\Google\Chrome\data.exe" C:\Program Files\Google\Chrome\
6⤵
PID:2156

C:\Program Files\Google\Chrome\Application\update.exe
"C:\Program Files\Google\Chrome\Application\update.exe" C:\Program Files\Google\Chrome\Application\
7⤵
PID:2856

C:\Program Files\Google\Chrome\Application\106.0.5249.119\data.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
8⤵
- Drops file in Program Files directory
PID:2364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
9⤵
PID:1572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
9⤵
PID:2228

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
9⤵
PID:2252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\data.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\data.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
9⤵
PID:1284

C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
9⤵
PID:2700

C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
9⤵
PID:2632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
9⤵
PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
10⤵
PID:1636

C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
11⤵
PID:1600

C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
8⤵
PID:2556

C:\Program Files\Internet Explorer\backup.exe
"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
5⤵
PID:2468

C:\Program Files\Internet Explorer\de-DE\backup.exe
"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
6⤵
PID:2612

C:\Program Files\Internet Explorer\en-US\backup.exe
"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
6⤵
PID:2960

C:\Program Files\Internet Explorer\es-ES\backup.exe
"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
6⤵
PID:1848

C:\Program Files\Internet Explorer\fr-FR\backup.exe
"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
6⤵
PID:2908

C:\Program Files\Internet Explorer\images\backup.exe
"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
6⤵
PID:2732

C:\Program Files\Internet Explorer\it-IT\backup.exe
"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
6⤵
PID:2888

C:\Program Files\Internet Explorer\ja-JP\backup.exe
"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
6⤵
PID:2740

C:\Program Files\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
6⤵
PID:1784

C:\Program Files\Java\backup.exe
"C:\Program Files\Java\backup.exe" C:\Program Files\Java\
5⤵
PID:1964

C:\Program Files\Java\jdk1.7.0_80\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
6⤵
- Drops file in Program Files directory
PID:1660

C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
7⤵
PID:2500

C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
7⤵
PID:2332

C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
8⤵
PID:2940

C:\Program Files\Java\jdk1.7.0_80\db\lib\data.exe
"C:\Program Files\Java\jdk1.7.0_80\db\lib\data.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
8⤵
PID:536

C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
7⤵
PID:2840

C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
8⤵
PID:600

C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
9⤵
PID:784

C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
7⤵
PID:584

C:\Program Files\Java\jdk1.7.0_80\jre\bin\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
8⤵
PID:2308

C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
9⤵
- System policy modification
PID:2396

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
9⤵
PID:2152

C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
9⤵
PID:2836

C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
8⤵
- Drops file in Program Files directory
PID:1860

C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\update.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
9⤵
PID:1548

C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
9⤵
PID:1820

C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
9⤵
PID:2080

C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
9⤵
PID:2852

C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
9⤵
PID:548

C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
9⤵
PID:2772

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
9⤵
PID:3004

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
10⤵
PID:1704

C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
9⤵
PID:2060

C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
9⤵
PID:2372

C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
9⤵
PID:1420

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
9⤵
- Disables RegEdit via registry modification
PID:2588

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
10⤵
PID:2380

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
10⤵
PID:2700

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
11⤵
PID:2684

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
11⤵
PID:2672

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
11⤵
PID:2484

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
11⤵
PID:2196

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
10⤵
PID:2088

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
10⤵
PID:2444

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
10⤵
PID:2708

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\data.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
10⤵
- Disables RegEdit via registry modification
PID:312

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
10⤵
PID:2744

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
10⤵
PID:2564

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
10⤵
PID:2576

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
10⤵
PID:1972

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
10⤵
PID:1692

C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
7⤵
PID:1792

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
8⤵
- Drops file in Program Files directory
PID:1684

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
9⤵
PID:1764

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
10⤵
PID:632

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
10⤵
PID:1924

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
9⤵
PID:2404

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
9⤵
PID:2828

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
10⤵
PID:804

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
10⤵
PID:1480

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
10⤵
PID:568

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
10⤵
PID:600

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
10⤵
PID:1352

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
10⤵
PID:2284

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
10⤵
PID:2168

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
10⤵
PID:1400

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
10⤵
PID:2308

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\System Restore.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
10⤵
PID:1344

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
11⤵
PID:904

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
10⤵
PID:916

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
11⤵
PID:2080

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
10⤵
PID:704

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
11⤵
PID:468

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
10⤵
PID:3064

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
11⤵
PID:1872

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
10⤵
PID:1728

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
11⤵
PID:1064

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
10⤵
PID:3028

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
11⤵
PID:2660

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
10⤵
PID:2568

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
11⤵
PID:2640

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
10⤵
PID:1760

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
11⤵
PID:2560

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
10⤵
PID:2792

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
11⤵
PID:2448

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
10⤵
PID:2876

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
11⤵
PID:2504

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
10⤵
PID:2612

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
11⤵
PID:2960

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
10⤵
PID:2676

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
11⤵
PID:2728

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
10⤵
PID:2732

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
11⤵
PID:2928

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
9⤵
PID:2320

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
10⤵
PID:2716

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
11⤵
PID:2468

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
12⤵
PID:2180

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
10⤵
PID:1576

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
11⤵
PID:2008

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
12⤵
PID:2620

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
9⤵
PID:536

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
10⤵
- Drops file in Program Files directory
PID:804

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
11⤵
PID:2300

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
12⤵
PID:568

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
13⤵
- Modifies visibility of file extensions in Explorer
PID:600

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
13⤵
PID:444

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
13⤵
PID:2296

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
11⤵
PID:1156

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
11⤵
PID:616

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
10⤵
- System policy modification
PID:1328

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
11⤵
PID:2132

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
11⤵
PID:904

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
11⤵
PID:1296

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
11⤵
PID:1652

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
10⤵
PID:2208

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
11⤵
PID:332

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
10⤵
PID:2972

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
11⤵
PID:2980

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
12⤵
PID:1724

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
11⤵
PID:2532

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
11⤵
PID:2228

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
8⤵
PID:2548

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
9⤵
PID:2656

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
9⤵
- Drops file in Program Files directory
PID:2572

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
10⤵
PID:2632

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\update.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
11⤵
PID:2568

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\data.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
11⤵
PID:3012

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
10⤵
PID:2560

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
11⤵
PID:2436

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
10⤵
PID:2448

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
11⤵
PID:2648

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
10⤵
PID:2460

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
11⤵
PID:2992

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
12⤵
PID:2960

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
11⤵
PID:2720

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
10⤵
PID:2728

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
9⤵
PID:2528

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
10⤵
PID:2732

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
11⤵
PID:1588

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
10⤵
PID:2472

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
11⤵
PID:1940

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
12⤵
PID:1688

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
13⤵
PID:1520

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
12⤵
- System policy modification
PID:3016

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
13⤵
PID:2620

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
11⤵
PID:2420

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
10⤵
- Drops file in Program Files directory
PID:1372

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
11⤵
PID:1648

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
10⤵
PID:1668

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
9⤵
- Drops file in Program Files directory
PID:2944

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
10⤵
PID:1676

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
11⤵
PID:1032

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
10⤵
PID:2836

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
11⤵
PID:804

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
10⤵
PID:2424

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
11⤵
PID:1344

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe
"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
10⤵
PID:920

C:\Program Files\Java\jre7\backup.exe
"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
6⤵
- System policy modification
PID:764

C:\Program Files\Java\jre7\bin\update.exe
"C:\Program Files\Java\jre7\bin\update.exe" C:\Program Files\Java\jre7\bin\
7⤵
PID:916

C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
"C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
8⤵
PID:2976

C:\Program Files\Java\jre7\bin\plugin2\backup.exe
"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
8⤵
PID:332

C:\Program Files\Java\jre7\bin\server\update.exe
"C:\Program Files\Java\jre7\bin\server\update.exe" C:\Program Files\Java\jre7\bin\server\
8⤵
PID:2060

C:\Program Files\Java\jre7\lib\backup.exe
"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
7⤵
PID:2636

C:\Program Files\Java\jre7\lib\amd64\backup.exe
"C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
8⤵
PID:1284

C:\Program Files\Java\jre7\lib\applet\backup.exe
"C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
8⤵
PID:2680

C:\Program Files\Java\jre7\lib\cmm\update.exe
"C:\Program Files\Java\jre7\lib\cmm\update.exe" C:\Program Files\Java\jre7\lib\cmm\
8⤵
PID:2760

C:\Program Files\Java\jre7\lib\deploy\backup.exe
"C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
8⤵
PID:2812

C:\Program Files\Java\jre7\lib\ext\backup.exe
"C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
8⤵
PID:2444

C:\Program Files\Java\jre7\lib\fonts\data.exe
"C:\Program Files\Java\jre7\lib\fonts\data.exe" C:\Program Files\Java\jre7\lib\fonts\
8⤵
PID:312

C:\Program Files\Java\jre7\lib\images\backup.exe
"C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
8⤵
PID:2544

C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
"C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
9⤵
PID:2764

C:\Program Files\Java\jre7\lib\jfr\backup.exe
"C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
8⤵
PID:2040

C:\Program Files\Java\jre7\lib\management\backup.exe
"C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
8⤵
PID:1968

C:\Program Files\Java\jre7\lib\security\backup.exe
"C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
8⤵
PID:1152

C:\Program Files\Java\jre7\lib\zi\backup.exe
"C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
8⤵
PID:2312

C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
9⤵
PID:844

C:\Program Files\Java\jre7\lib\zi\America\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
9⤵
PID:832

C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
10⤵
PID:2528

C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
10⤵
PID:996

C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
10⤵
PID:1832

C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe
"C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
10⤵
PID:612

C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
9⤵
PID:2412

C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
9⤵
PID:1328

C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
9⤵
PID:2020

C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
9⤵
PID:1724

C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
9⤵
PID:2592

C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
9⤵
PID:2056

C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
9⤵
PID:2344

C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe
"C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\
9⤵
PID:2124

C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe
"C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\
9⤵
PID:2776

C:\Program Files\Microsoft Games\backup.exe
"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
5⤵
- Drops file in Program Files directory
PID:2176

C:\Program Files\Microsoft Games\Chess\backup.exe
"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
6⤵
PID:2892

C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
7⤵
PID:1608

C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
7⤵
PID:1800

C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
7⤵
PID:1956

C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
7⤵
- System policy modification
PID:1688

C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
7⤵
PID:2008

C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
7⤵
PID:2768

C:\Program Files\Microsoft Games\FreeCell\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
6⤵
PID:2152

C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
7⤵
PID:2516

C:\Program Files\Microsoft Games\FreeCell\en-US\update.exe
"C:\Program Files\Microsoft Games\FreeCell\en-US\update.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
7⤵
PID:2308

C:\Program Files\Microsoft Games\FreeCell\es-ES\data.exe
"C:\Program Files\Microsoft Games\FreeCell\es-ES\data.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
7⤵
PID:2132

C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
7⤵
PID:2388

C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
7⤵
PID:1424

C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
7⤵
PID:2976

C:\Program Files\Microsoft Games\Hearts\backup.exe
"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
6⤵
PID:2020

C:\Program Files\Microsoft Games\Hearts\de-DE\System Restore.exe
"C:\Program Files\Microsoft Games\Hearts\de-DE\System Restore.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
7⤵
PID:3068

C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
"C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
7⤵
PID:2220

C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
7⤵
PID:1276

C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
7⤵
PID:2556

C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
7⤵
PID:2124

C:\Program Files\Microsoft Games\Hearts\ja-JP\data.exe
"C:\Program Files\Microsoft Games\Hearts\ja-JP\data.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
7⤵
PID:2776

C:\Program Files\Microsoft Games\Mahjong\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
6⤵
PID:312

C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
7⤵
PID:2724

C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
7⤵
PID:1860

C:\Program Files\Microsoft Games\Mahjong\es-ES\System Restore.exe
"C:\Program Files\Microsoft Games\Mahjong\es-ES\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
7⤵
PID:2536

C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
7⤵
PID:2940

C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
7⤵
PID:3016

C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
7⤵
PID:656

C:\Program Files\Microsoft Games\Minesweeper\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
6⤵
PID:1668

C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
7⤵
PID:968

C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
7⤵
PID:2516

C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
7⤵
PID:2004

C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
7⤵
PID:2052

C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
7⤵
PID:2848

C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
7⤵
PID:1704

C:\Program Files\Microsoft Games\More Games\backup.exe
"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
6⤵
PID:2184

C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
"C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
7⤵
PID:2660

C:\Program Files\Microsoft Games\More Games\en-US\data.exe
"C:\Program Files\Microsoft Games\More Games\en-US\data.exe" C:\Program Files\Microsoft Games\More Games\en-US\
7⤵
PID:2496

C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
"C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
7⤵
PID:2748

C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
7⤵
PID:2384

C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe
"C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
7⤵
- Disables RegEdit via registry modification
PID:2560

C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
7⤵
PID:2096

C:\Program Files\Microsoft Games\Multiplayer\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
6⤵
PID:2776

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
7⤵
PID:2460

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
8⤵
PID:1616

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\
8⤵
PID:1764

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\
8⤵
PID:1956

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\
8⤵
PID:1160

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\
8⤵
PID:2164

C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\
8⤵
PID:2768

C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\
7⤵
PID:788

C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\
8⤵
PID:1352

C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\
8⤵
PID:1632

C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\update.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\update.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\
8⤵
PID:2548

C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\
8⤵
PID:2608

C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\
8⤵
PID:1424

C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\data.exe
"C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\data.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\
8⤵
PID:1396

C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\
7⤵
PID:1652

C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\
8⤵
PID:768

C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\
8⤵
PID:2224

C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\
8⤵
PID:2748

C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\
8⤵
PID:2956

C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\
8⤵
PID:2612

C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\
8⤵
PID:2900

C:\Program Files\Microsoft Games\Purble Place\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
6⤵
- Drops file in Program Files directory
PID:2672

C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\
7⤵
PID:1960

C:\Program Files\Microsoft Games\Purble Place\en-US\update.exe
"C:\Program Files\Microsoft Games\Purble Place\en-US\update.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\
7⤵
PID:2180

C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\
7⤵
PID:1620

C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\
7⤵
PID:2924

C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\
7⤵
PID:936

C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\
7⤵
PID:1140

C:\Program Files\Microsoft Games\Solitaire\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\
6⤵
PID:3008

C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\
7⤵
PID:1548

C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\
7⤵
PID:1352

C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\
7⤵
PID:1676

C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\
7⤵
PID:2052

C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\
7⤵
PID:468

C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\
7⤵
PID:2976

C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\
6⤵
PID:1744

C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\
7⤵
PID:824

C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\
7⤵
PID:2660

C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\
7⤵
PID:1316

C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\System Restore.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\System Restore.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\
7⤵
PID:2216

C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\data.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\data.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\
7⤵
PID:1200

C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe
"C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\
7⤵
PID:1600

C:\Program Files\Microsoft Office\backup.exe
"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
5⤵
PID:2364

C:\Program Files\Microsoft Office\Office14\backup.exe
"C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
6⤵
PID:2992

C:\Program Files\Microsoft Office\Office14\1033\backup.exe
"C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
7⤵
PID:2952

C:\Program Files\Mozilla Firefox\backup.exe
"C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
5⤵
PID:852

C:\Program Files\Mozilla Firefox\browser\backup.exe
"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
6⤵
- Modifies visibility of file extensions in Explorer
PID:1576

C:\Program Files\Mozilla Firefox\browser\features\backup.exe
"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
7⤵
PID:2540

C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
7⤵
PID:1692

C:\Program Files\Mozilla Firefox\defaults\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
6⤵
PID:2780

C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
7⤵
PID:2512

C:\Program Files\Mozilla Firefox\fonts\backup.exe
"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
6⤵
PID:1032

C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
6⤵
PID:1488

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
7⤵
PID:1344

C:\Program Files\Mozilla Firefox\uninstall\backup.exe
"C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
6⤵
PID:2944

C:\Program Files\MSBuild\backup.exe
"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
5⤵
PID:1256

C:\Program Files\MSBuild\Microsoft\backup.exe
"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
6⤵
PID:2616

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
7⤵
PID:1728

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
8⤵
PID:1536

C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
8⤵
PID:2496

C:\Program Files\Reference Assemblies\backup.exe
"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
5⤵
PID:2576

C:\Program Files\Reference Assemblies\Microsoft\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
6⤵
PID:1712

C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
7⤵
PID:2936

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
8⤵
PID:1848

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
9⤵
PID:2440

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
9⤵
PID:2828

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\update.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
9⤵
PID:2732

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
9⤵
PID:772

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System Restore.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
9⤵
PID:1968

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
9⤵
PID:2736

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
8⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System Restore.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
9⤵
PID:1692

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
9⤵
PID:1140

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
9⤵
PID:2296

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
9⤵
PID:2396

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
9⤵
PID:1940

C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
9⤵
PID:804

C:\Program Files\VideoLAN\backup.exe
"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
5⤵
PID:2208

C:\Program Files\VideoLAN\VLC\backup.exe
"C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
6⤵
PID:2252

C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
"C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
7⤵
PID:1952

C:\Program Files\VideoLAN\VLC\locale\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
7⤵
- Drops file in Program Files directory
PID:1432

C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
8⤵
PID:1252

C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
9⤵
PID:2604

C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
8⤵
PID:2196

C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
9⤵
PID:1200

C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
8⤵
PID:2596

C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
9⤵
PID:1796

C:\Program Files\VideoLAN\VLC\locale\an\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\
8⤵
PID:2380

C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
9⤵
PID:1700

C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
8⤵
PID:1860

C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
9⤵
PID:784

C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\as_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
8⤵
PID:696

C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
9⤵
PID:656

C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
8⤵
PID:576

C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
9⤵
PID:952

C:\Program Files\VideoLAN\VLC\locale\az\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\az\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\
8⤵
PID:1988

C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\
9⤵
PID:1632

C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
8⤵
PID:2968

C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
9⤵
- Modifies visibility of file extensions in Explorer
PID:548

C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
8⤵
PID:2052

C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\update.exe
"C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
9⤵
PID:2152

C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
8⤵
PID:1820

C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
9⤵
PID:1760

C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
8⤵
PID:1316

C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
9⤵
PID:2452

C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
8⤵
PID:1788

C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
9⤵
PID:2752

C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
8⤵
PID:2416

C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
9⤵
PID:2732

C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
8⤵
PID:1764

C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
9⤵
PID:2280

C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
8⤵
PID:2540

C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
9⤵
PID:1860

C:\Program Files\VideoLAN\VLC\locale\cgg\data.exe
"C:\Program Files\VideoLAN\VLC\locale\cgg\data.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
8⤵
PID:2492

C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
9⤵
- Disables RegEdit via registry modification
PID:1288

C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\
8⤵
PID:2240

C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\
9⤵
PID:576

C:\Program Files\VideoLAN\VLC\locale\co\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\
8⤵
PID:2840

C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
9⤵
PID:1940

C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
8⤵
PID:2576

C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
9⤵
PID:704

C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
8⤵
PID:2348

C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
9⤵
PID:1424

C:\Program Files\VideoLAN\VLC\locale\da\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\
8⤵
PID:2660

C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
9⤵
PID:2988

C:\Program Files\VideoLAN\VLC\locale\de\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\de\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\
8⤵
PID:2528

C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\
9⤵
PID:1600

C:\Program Files\VideoLAN\VLC\locale\el\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\
8⤵
PID:484

C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\
9⤵
PID:1264

C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\
8⤵
PID:3012

C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\
9⤵
PID:2732

C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
8⤵
PID:2872

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\
9⤵
PID:2428

C:\Program Files\VideoLAN\VLC\locale\et\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\et\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\et\
8⤵
PID:2472

C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\
9⤵
PID:888

C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
8⤵
- System policy modification
PID:2284

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\
9⤵
PID:1280

C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
8⤵
PID:1612

C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\
9⤵
PID:1816

C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
8⤵
PID:2608

C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\
9⤵
- System policy modification
PID:1420

C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
8⤵
- Disables RegEdit via registry modification
PID:2144

C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\
9⤵
PID:1684

C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\
8⤵
PID:2152

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\
9⤵
PID:2688

C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\
8⤵
PID:2616

C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
9⤵
PID:2896

C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
8⤵
- Drops file in Program Files directory
PID:1600

C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
9⤵
PID:2228

C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\
8⤵
PID:1960

C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\
9⤵
PID:2040

C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\
8⤵
PID:2420

C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
9⤵
PID:2736

C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\
8⤵
PID:312

C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\
9⤵
PID:1476

C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\
8⤵
PID:2300

C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\
9⤵
- System policy modification
PID:2004

C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
8⤵
PID:2268

C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\
9⤵
PID:2424

C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
8⤵
PID:2852

C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\
9⤵
PID:804

C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\
8⤵
PID:3064

C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\update.exe
"C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
9⤵
PID:1396

C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\
8⤵
PID:2016

C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\
9⤵
PID:1640

C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\
8⤵
PID:2344

C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\
9⤵
PID:2096

C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\
8⤵
PID:2388

C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\
9⤵
PID:1972

C:\Program Files\VideoLAN\VLC\locale\id\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\
8⤵
PID:2764

C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\
9⤵
PID:2884

C:\Program Files\VideoLAN\VLC\locale\is\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\
8⤵
PID:772

C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
9⤵
PID:2416

C:\Program Files\VideoLAN\VLC\locale\it\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\
8⤵
PID:2456

C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
9⤵
PID:2952

C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\
8⤵
PID:2788

C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
9⤵
PID:888

C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\
8⤵
PID:2240

C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\
9⤵
PID:2412

C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\
8⤵
PID:2232

C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
9⤵
PID:1064

C:\Program Files\VideoLAN\VLC\locale\km\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\km\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\
8⤵
PID:2668

C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\
9⤵
PID:2956

C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
8⤵
PID:768

C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\
9⤵
PID:2832

C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\
8⤵
PID:2676

C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\
9⤵
PID:2332

C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\
8⤵
PID:1968

C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
9⤵
PID:2540

C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
8⤵
PID:2156

C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
9⤵
PID:984

C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\
8⤵
PID:2080

C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\
9⤵
PID:2976

C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\
8⤵
PID:1684

C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\
9⤵
PID:1640

C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\
8⤵
PID:2464

C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\
9⤵
PID:2316

C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\
8⤵
PID:2884

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\
9⤵
PID:2716

C:\Program Files\VideoLAN\VLC\locale\mk\System Restore.exe
"C:\Program Files\VideoLAN\VLC\locale\mk\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\mk\
8⤵
PID:2200

C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\
9⤵
PID:2024

C:\Program Files\VideoLAN\VLC\locale\ml\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ml\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\
8⤵
PID:1860

C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\
9⤵
PID:3024

C:\Program Files\VideoLAN\VLC\locale\mn\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mn\
8⤵
PID:1384

C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\
9⤵
PID:2972

C:\Program Files\VideoLAN\VLC\locale\mr\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mr\
8⤵
PID:2496

C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\
9⤵
PID:2912

C:\Program Files\VideoLAN\VLC\locale\ms\data.exe
"C:\Program Files\VideoLAN\VLC\locale\ms\data.exe" C:\Program Files\VideoLAN\VLC\locale\ms\
8⤵
PID:2780

C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\
9⤵
PID:2388

C:\Program Files\VideoLAN\VLC\locale\my\data.exe
"C:\Program Files\VideoLAN\VLC\locale\my\data.exe" C:\Program Files\VideoLAN\VLC\locale\my\
8⤵
PID:352

C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\
9⤵
PID:2844

C:\Program Files\VideoLAN\VLC\locale\nb\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\nb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nb\
8⤵
PID:2504

C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\
9⤵
PID:1140

C:\Program Files\VideoLAN\VLC\locale\ne\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ne\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ne\
8⤵
PID:1136

C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\
9⤵
PID:2424

C:\Program Files\VideoLAN\VLC\locale\nl\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\nl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nl\
8⤵
PID:3024

C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\
9⤵
PID:852

C:\Program Files\VideoLAN\VLC\locale\nn\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\nn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\nn\
8⤵
PID:3064

C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\update.exe
"C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\
9⤵
PID:1664

C:\Program Files\VideoLAN\VLC\locale\oc\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\oc\backup.exe" C:\Program Files\VideoLAN\VLC\locale\oc\
8⤵
PID:2684

C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\
9⤵
PID:1252

C:\Program Files\VideoLAN\VLC\locale\or\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\or\backup.exe" C:\Program Files\VideoLAN\VLC\locale\or\
8⤵
PID:2776

C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\
9⤵
PID:1600

C:\Program Files\VideoLAN\VLC\locale\pa\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pa\
8⤵
PID:616

C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\
9⤵
PID:876

C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pl\
8⤵
PID:1152

C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\
9⤵
PID:2396

C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ps\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\
8⤵
PID:2284

C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\
9⤵
PID:2308

C:\Program Files\VideoLAN\VLC\locale\pt_BR\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pt_BR\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_BR\
8⤵
PID:2608

C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\
9⤵
PID:1648

C:\Program Files\VideoLAN\VLC\locale\pt_PT\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pt_PT\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_PT\
8⤵
PID:2460

C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\
9⤵
PID:1424

C:\Program Files\VideoLAN\VLC\locale\ro\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ro\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ro\
8⤵
PID:2748

C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\update.exe
"C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\
9⤵
PID:3028

C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ru\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\
8⤵
- Drops file in Program Files directory
PID:1588

C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\
9⤵
PID:2196

C:\Program Files\VideoLAN\VLC\locale\si\backup.exe
"C:\Program Files\VideoLAN\VLC\locale\si\backup.exe" C:\Program Files\VideoLAN\VLC\locale\si\
8⤵
PID:2320

C:\Program Files (x86)\update.exe
"C:\Program Files (x86)\update.exe" C:\Program Files (x86)\
4⤵
PID:908

C:\Program Files (x86)\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
5⤵
PID:2532

C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
6⤵
PID:3028

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
7⤵
PID:2668

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
7⤵
- Drops file in Program Files directory
PID:2672

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
8⤵
PID:2776

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
8⤵
PID:2364

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
8⤵
PID:2216

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
8⤵
PID:2676

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
9⤵
PID:1644

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
8⤵
PID:1784

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
8⤵
PID:2164

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
9⤵
PID:1924

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
8⤵
PID:1476

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
8⤵
PID:3036

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
9⤵
- Drops file in Program Files directory
PID:444

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
10⤵
PID:1676

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
9⤵
PID:1052

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
10⤵
PID:1296

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
11⤵
PID:2224

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
9⤵
PID:1500

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
10⤵
- Disables RegEdit via registry modification
PID:2980

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\System Restore.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
9⤵
PID:1432

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
10⤵
PID:2712

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
8⤵
PID:3012

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
9⤵
PID:1788

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
8⤵
PID:2876

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
8⤵
PID:2440

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
7⤵
PID:2216

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
8⤵
PID:2784

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
9⤵
PID:1628

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
8⤵
PID:2924

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
8⤵
PID:572

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
9⤵
PID:1940

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
9⤵
PID:952

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
10⤵
PID:2396

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\data.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
11⤵
PID:2528

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
8⤵
PID:1920

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
8⤵
PID:444

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
9⤵
PID:1360

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
10⤵
PID:2084

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
10⤵
- Drops file in Program Files directory
PID:1532

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
11⤵
PID:2972

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
11⤵
- Modifies visibility of file extensions in Explorer
PID:3040

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
11⤵
PID:2476

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
7⤵
PID:1636

C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
8⤵
PID:2812

C:\Program Files (x86)\Common Files\backup.exe
"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
5⤵
PID:2636

C:\Program Files (x86)\Common Files\Adobe\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
6⤵
PID:2780

C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
7⤵
PID:2908

C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
7⤵
PID:2540

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
8⤵
PID:1644

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
9⤵
PID:1628

C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
10⤵
PID:2024

C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
7⤵
PID:2164

C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
6⤵
PID:1940

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
7⤵
PID:1352

C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
8⤵
PID:1132

C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
6⤵
PID:1612

C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
6⤵
- Drops file in Program Files directory
PID:1012

C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
7⤵
PID:1792

C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
7⤵
PID:1504

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
7⤵
PID:2372

C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
8⤵
PID:1500

C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
7⤵
PID:400

C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
7⤵
PID:1760

C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
7⤵
PID:1944

C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
7⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:2448

C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
8⤵
PID:1636

C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
8⤵
PID:2228

C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
8⤵
PID:496

C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
8⤵
PID:1264

C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
8⤵
PID:848

C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
8⤵
PID:1860

C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
8⤵
PID:2468

C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
8⤵
PID:2404

C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
8⤵
PID:2028

C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
8⤵
PID:1088

C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
8⤵
PID:1932

C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
7⤵
- Drops file in Program Files directory
PID:616

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
8⤵
PID:1612

C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
8⤵
PID:612

C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
8⤵
PID:892

C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
8⤵
PID:1744

C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
8⤵
PID:1668

C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
8⤵
PID:1500

C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
8⤵
PID:1664

C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
8⤵
PID:2604

C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
8⤵
PID:2344

C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
7⤵
PID:2708

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
7⤵
PID:2560

C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
8⤵
PID:2504

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
7⤵
- Drops file in Program Files directory
PID:2156

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
8⤵
PID:2728

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
8⤵
PID:2588

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
8⤵
PID:2872

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
8⤵
PID:1956

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
8⤵
PID:2008

C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
8⤵
PID:2164

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
7⤵
PID:1280

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
8⤵
PID:1948

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
8⤵
PID:1816

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
8⤵
PID:2004

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
9⤵
PID:1732

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
9⤵
PID:892

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
9⤵
PID:916

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
9⤵
PID:788

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
9⤵
PID:2568

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
9⤵
PID:768

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
9⤵
PID:2452

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
9⤵
PID:2528

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
9⤵
PID:3012

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
9⤵
PID:2456

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
9⤵
PID:1652

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
9⤵
PID:772

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
9⤵
PID:2784

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
9⤵
PID:2180

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
9⤵
PID:2024

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
9⤵
PID:1824

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
9⤵
PID:2296

C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe
"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
7⤵
PID:2396

C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
7⤵
PID:832

C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
8⤵
PID:2400

C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
7⤵
PID:548

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
7⤵
PID:2016

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
8⤵
PID:1704

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
8⤵
- Drops file in Program Files directory
PID:2584

C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
9⤵
PID:400

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
7⤵
PID:1604

C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
7⤵
PID:2700

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
7⤵
PID:2632

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
8⤵
- System policy modification
PID:2124

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
8⤵
PID:1976

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
8⤵
PID:2740

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
8⤵
PID:1724

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
8⤵
PID:1800

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
8⤵
PID:1520

C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
8⤵
PID:2724

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
7⤵
- Drops file in Program Files directory
PID:1956

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
8⤵
PID:600

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
8⤵
PID:2164

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
8⤵
PID:496

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
8⤵
PID:996

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
8⤵
PID:2168

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
8⤵
PID:3032

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
8⤵
PID:2052

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2864

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\
8⤵
PID:1396

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\
8⤵
PID:788

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\
8⤵
PID:2584

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\
8⤵
PID:444

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\
8⤵
PID:2684

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\
8⤵
PID:2912

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\
8⤵
PID:2752

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\
8⤵
PID:3012

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\
8⤵
PID:2908

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\
8⤵
PID:2952

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\
8⤵
PID:2716

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\
8⤵
PID:1472

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\
8⤵
PID:268

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\
8⤵
PID:1480

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\
8⤵
PID:2768

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\
8⤵
PID:3024

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\
8⤵
PID:572

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\
8⤵
- System policy modification
PID:1816

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\
8⤵
PID:1488

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\
8⤵
PID:804

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\
8⤵
PID:1504

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\
8⤵
PID:2864

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\
8⤵
PID:2656

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\
8⤵
PID:1952

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2388

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\
8⤵
PID:1372

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\
8⤵
PID:3028

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\
8⤵
PID:1716

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\
8⤵
PID:2744

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\
8⤵
PID:2456

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\
8⤵
PID:584

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\
8⤵
PID:2560

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\
8⤵
PID:2716

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\
8⤵
PID:2924

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\
8⤵
PID:2788

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\
8⤵
PID:2284

C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\
8⤵
PID:844

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
7⤵
PID:968

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
8⤵
PID:2064

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\
8⤵
PID:2080

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\
8⤵
PID:2804

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\
8⤵
- System policy modification
PID:2104

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\
8⤵
PID:1684

C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\
8⤵
PID:896

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
7⤵
PID:2824

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\data.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\
8⤵
PID:2568

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\
8⤵
PID:2748

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\
8⤵
PID:2856

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\
8⤵
PID:2812

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\
8⤵
PID:2228

C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\System Restore.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\
8⤵
PID:2884

C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\
7⤵
PID:2992

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\
8⤵
PID:1800

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\
8⤵
PID:2188

C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\
9⤵
PID:1472

C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\
7⤵
PID:1160

C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\
7⤵
PID:1028

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\
7⤵
PID:2564

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\
8⤵
PID:1480

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\
9⤵
PID:996

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\
8⤵
PID:920

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
9⤵
PID:1328

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\
8⤵
- Disables RegEdit via registry modification
PID:2344

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
9⤵
PID:2232

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\
9⤵
PID:1064

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\
9⤵
PID:2712

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\
9⤵
- Modifies visibility of file extensions in Explorer
PID:1952

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\
7⤵
PID:1532

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\
8⤵
PID:2488

C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\
9⤵
- System policy modification
PID:2388

C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\
7⤵
PID:1656

C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\
8⤵
PID:1636

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\
7⤵
PID:616

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\
8⤵
PID:2928

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\
9⤵
PID:2500

C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe
"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\
10⤵
PID:2456

C:\Program Files (x86)\Common Files\Services\backup.exe
"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
6⤵
PID:1628

C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
6⤵
PID:2428

C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
7⤵
PID:600

C:\Program Files (x86)\Common Files\System\backup.exe
"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
6⤵
- Drops file in Program Files directory
PID:1028

C:\Program Files (x86)\Common Files\System\ado\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
7⤵
PID:1352

C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
8⤵
PID:904

C:\Program Files (x86)\Common Files\System\ado\en-US\update.exe
"C:\Program Files (x86)\Common Files\System\ado\en-US\update.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
8⤵
PID:2492

C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
8⤵
PID:1816

C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
8⤵
- Disables RegEdit via registry modification
PID:2132

C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
8⤵
PID:852

C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
8⤵
PID:2592

C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
7⤵
PID:1064

C:\Program Files (x86)\Common Files\System\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
7⤵
PID:2712

C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
7⤵
PID:2964

C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
7⤵
PID:2216

C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
7⤵
PID:768

C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
7⤵
- System policy modification
PID:2616

C:\Program Files (x86)\Common Files\System\msadc\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
7⤵
PID:2244

C:\Program Files (x86)\Common Files\System\msadc\de-DE\System Restore.exe
"C:\Program Files (x86)\Common Files\System\msadc\de-DE\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
8⤵
PID:1264

C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
8⤵
PID:2940

C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
8⤵
PID:1764

C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe
"C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
8⤵
PID:2500

C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
8⤵
PID:1152

C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
8⤵
PID:2156

C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
"C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
7⤵
PID:3024

C:\Program Files (x86)\Common Files\System\MSMAPI\1033\data.exe
"C:\Program Files (x86)\Common Files\System\MSMAPI\1033\data.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\
8⤵
PID:2868

C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
7⤵
PID:1632

C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
8⤵
PID:2088

C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
8⤵
PID:804

C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
8⤵
PID:896

C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
8⤵
PID:2888

C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
8⤵
PID:2312

C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
"C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
8⤵
PID:2196

C:\Program Files (x86)\Google\backup.exe
"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
5⤵
PID:2740

C:\Program Files (x86)\Google\CrashReports\backup.exe
"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
6⤵
PID:1724

C:\Program Files (x86)\Google\Temp\backup.exe
"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
6⤵
PID:1804

C:\Program Files (x86)\Google\Update\System Restore.exe
"C:\Program Files (x86)\Google\Update\System Restore.exe" C:\Program Files (x86)\Google\Update\
6⤵
PID:784

C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
7⤵
- System policy modification
PID:2784

C:\Program Files (x86)\Google\Update\Download\backup.exe
"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
7⤵
PID:1824

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
8⤵
- Drops file in Program Files directory
PID:1156

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
9⤵
PID:2400

C:\Program Files (x86)\Google\Update\Install\backup.exe
"C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
7⤵
PID:2936

C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\backup.exe
"C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\
8⤵
PID:2972

C:\Program Files (x86)\Google\Update\Offline\backup.exe
"C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
7⤵
PID:3040

C:\Program Files (x86)\Internet Explorer\System Restore.exe
"C:\Program Files (x86)\Internet Explorer\System Restore.exe" C:\Program Files (x86)\Internet Explorer\
5⤵
PID:876

C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
6⤵
PID:2564

C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
6⤵
PID:2648

C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
6⤵
PID:1400

C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
"C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
6⤵
PID:1972

C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
6⤵
PID:2904

C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
"C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
6⤵
PID:2468

C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
6⤵
PID:1644

C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
5⤵
PID:2676

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
6⤵
PID:2008

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
7⤵
PID:1164

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
8⤵
PID:2524

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\update.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\update.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
8⤵
PID:2968

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
9⤵
PID:2848

C:\Program Files (x86)\Microsoft Office\backup.exe
"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
5⤵
PID:1396

C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
6⤵
PID:2580

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
7⤵
PID:2196

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
7⤵
- Drops file in Program Files directory
PID:3012

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
8⤵
PID:1620

C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
6⤵
PID:1472

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
7⤵
PID:2536

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\update.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\update.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
7⤵
PID:2540

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
7⤵
PID:2200

C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
6⤵
PID:576

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\
7⤵
PID:1156

C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\
8⤵
PID:776

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
7⤵
PID:2372

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\
8⤵
PID:2936

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\
8⤵
PID:2060

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\
8⤵
PID:1316

C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe
"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\
8⤵
PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
6⤵
PID:2812

C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\
7⤵
PID:1400

C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\
8⤵
PID:2280

C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\
8⤵
PID:2468

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\
8⤵
PID:632

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\
9⤵
- Drops file in Program Files directory
PID:2540

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\
10⤵
PID:1676

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\
10⤵
PID:2788

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\update.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\
10⤵
PID:2412

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\
10⤵
PID:2640

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\
10⤵
PID:2324

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\
10⤵
PID:1516

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\
10⤵
PID:2688

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\
10⤵
PID:2956

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\
10⤵
PID:1640

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\
10⤵
- Modifies visibility of file extensions in Explorer
PID:2260

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe
"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\
10⤵
PID:1788

C:\Users\backup.exe
C:\Users\backup.exe C:\Users\
4⤵
PID:2892

C:\Users\Admin\backup.exe
C:\Users\Admin\backup.exe C:\Users\Admin\
5⤵
PID:1160

C:\Users\Admin\Contacts\backup.exe
C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
6⤵
PID:1344

C:\Users\Admin\Desktop\backup.exe
C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
6⤵
PID:1832

C:\Users\Admin\Documents\backup.exe
C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
6⤵
PID:2944

C:\Users\Admin\Downloads\backup.exe
C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
6⤵
PID:2132

C:\Users\Admin\Favorites\update.exe
C:\Users\Admin\Favorites\update.exe C:\Users\Admin\Favorites\
6⤵
PID:1284

C:\Users\Admin\Links\backup.exe
C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
6⤵
- Modifies visibility of file extensions in Explorer
PID:916

C:\Users\Admin\Music\backup.exe
C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
6⤵
PID:2644

C:\Users\Admin\Pictures\backup.exe
C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
6⤵
PID:2984

C:\Users\Admin\Saved Games\backup.exe
"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
6⤵
PID:2700

C:\Users\Admin\Searches\backup.exe
C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
6⤵
PID:2508

C:\Users\Admin\Videos\backup.exe
C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
6⤵
PID:2320

C:\Users\Public\backup.exe
C:\Users\Public\backup.exe C:\Users\Public\
5⤵
PID:2416

C:\Users\Public\Documents\backup.exe
C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
6⤵
PID:2952

C:\Users\Public\Downloads\backup.exe
C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
6⤵
PID:600

C:\Users\Public\Music\backup.exe
C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
6⤵
PID:572

C:\Users\Public\Music\Sample Music\backup.exe
"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
7⤵
PID:2772

C:\Users\Public\Pictures\backup.exe
C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
6⤵
PID:2804

C:\Users\Public\Pictures\Sample Pictures\backup.exe
"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
7⤵
PID:2088

C:\Users\Public\Recorded TV\backup.exe
"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
6⤵
PID:1932

C:\Users\Public\Recorded TV\Sample Media\backup.exe
"C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
7⤵
PID:1560

C:\Users\Public\Videos\backup.exe
C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
6⤵
PID:2488

C:\Users\Public\Videos\Sample Videos\backup.exe
"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
7⤵
PID:2812

C:\Windows\backup.exe
C:\Windows\backup.exe C:\Windows\
4⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2192

C:\Windows\addins\backup.exe
C:\Windows\addins\backup.exe C:\Windows\addins\
5⤵
PID:2832

C:\Windows\AppCompat\backup.exe
C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
5⤵
PID:2612

C:\Windows\AppPatch\backup.exe
C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
5⤵
PID:936

C:\Windows\AppPatch\AppPatch64\backup.exe
C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
6⤵
PID:2448

C:\Windows\AppPatch\Custom\backup.exe
C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
6⤵
PID:1288

C:\Windows\AppPatch\Custom\Custom64\backup.exe
C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
7⤵
PID:2788

C:\Windows\AppPatch\de-DE\backup.exe
C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
6⤵
PID:1832

C:\Windows\AppPatch\en-US\backup.exe
C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
6⤵
PID:332

C:\Windows\AppPatch\es-ES\backup.exe
C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
6⤵
PID:536

C:\Windows\AppPatch\fr-FR\backup.exe
C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
6⤵
PID:2060

C:\Windows\AppPatch\it-IT\backup.exe
C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
6⤵
PID:3008

C:\Windows\AppPatch\ja-JP\backup.exe
C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
6⤵
PID:1792

C:\Windows\assembly\backup.exe
C:\Windows\assembly\backup.exe C:\Windows\assembly\
5⤵
- Drops file in Windows directory
PID:764

C:\Windows\assembly\GAC\backup.exe
C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
6⤵
PID:1560

C:\Windows\assembly\GAC\ADODB\backup.exe
C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
7⤵
PID:1400

C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:1652

C:\Windows\assembly\GAC\Extensibility\backup.exe
C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
7⤵
PID:2728

C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
- Modifies visibility of file extensions in Explorer
PID:2040

C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
7⤵
PID:1644

C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
8⤵
PID:2620

C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\System Restore.exe
"C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\System Restore.exe" C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
8⤵
PID:2168

C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
7⤵
PID:1612

C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:920

C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
7⤵
PID:1500

C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2008

C:\Windows\assembly\GAC\mscomctl\backup.exe
C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
7⤵
PID:2600

C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
8⤵
- Disables RegEdit via registry modification
PID:2312

C:\Windows\assembly\GAC\MSDATASRC\backup.exe
C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
7⤵
PID:1788

C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2636

C:\Windows\assembly\GAC\stdole\backup.exe
C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
7⤵
PID:2940

C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
8⤵
PID:2500

C:\Windows\assembly\GAC_32\update.exe
C:\Windows\assembly\GAC_32\update.exe C:\Windows\assembly\GAC_32\
6⤵
PID:2672

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe
C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
7⤵
PID:2472

C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
8⤵
PID:612

C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe
C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\
7⤵
PID:2772

C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
8⤵
PID:1328

C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
7⤵
PID:2044

C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
8⤵
PID:2644

C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
7⤵
PID:1104

C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe
C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\
8⤵
PID:1596

C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
7⤵
PID:320

C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
8⤵
PID:676

C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
7⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2716

C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
21KB

MD5
c0625bc89ec57672b485cf786f145f88

SHA1
2a9a4e0b99781f5ea9f455dce2b55bed258d7d84

SHA256
36f503a2eeb4f0fbaad0987cf50507f09a8f47ed7844d07d45e16b747954934b

SHA512
52ff2af5bd5e23fe42dd7cc2c79dc8fe9d5a612438cd03f6e7217b7fcb0aaf416277a8b03a78ee96659b9b1e13f540be49598dd8bbdd8c6cb4d954d66a6e854d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\backup.exe

Filesize
72KB

MD5
1517f42d525aacbd3fc7c9589a706b73

SHA1
3a1d8c1f96b9130eec58f215dc55fea229e1da24

SHA256
060343aa1ad4178530a29f8892f58401c7f86e7892b66b0b5bfd6016793ea5dd

SHA512
4c0e71614b54ff2a950c7d787c109b57b6148fb8b08d8526051f210b7bd409dc94a1802958368209d7626945e2800416b103cdda4d8aaf928855826149dff330

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
72KB

MD5
5aa5a51b689631671d1d008666175897

SHA1
bdf07243acfc8de4113f1e7464555883b2bb2110

SHA256
9ff5a036a624a4961aa3f7d12e8414061c64f1ae3c73e6736ca256908dd476ae

SHA512
d70071edca6e2dbe0ca65a6dcedb89bc2758e823725bbf1bcd05fa7d1c33e2764dfd008b786930c0db80dd623b90d1157bccb309d4176e0efc4ae0aaa6a1871f

Download Submit
\PerfLogs\backup.exe

Filesize
72KB

MD5
501788e3c46d6496be9c7b853ff88f62

SHA1
4bdc71cd823561020e4d8c8ba108466c2a033446

SHA256
4d2a642e7fac0e0e282e64833294e83362f9a504934d6058a9cff176637e3b4e

SHA512
db3f2be383fe5e290b7f120e7cf43aeaff3d2d1e418032c4190387eb9c85dfc21ff94c9c4d6374660c715003e75dd99377a44eec4109e337824bf10448f74323

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
72KB

MD5
6771fa16ff1303df855a4a103c0e8eb0

SHA1
de0f6f341cbf91439a87dfd4aa13b35dad064232

SHA256
d70fdf6d8b8e27826d134b710de7b9c15f0073861e7f075225bf7156110be067

SHA512
d37a0f20c672c6f9bebfa9cf91e8eb3f97e6296efb494ed5980ff094e562025b772b6554b801ef95a4d5a1ae4a5fc6b4fa11d78f1f060a58a1e428ac84447e1d

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
72KB

MD5
8608f2797e2a6542b544d528755b4f58

SHA1
e85e0a0c06b0aa6c6a0d01eb164256d177a498e8

SHA256
d3c7eb929e861131a94c2c74123eace719039b2ede1c1a31a5c1ca4e55eafe35

SHA512
17232884d3729ab0024a588a710ca3ffca5577bdba11f7b152c4b2662e06e7c502f5b91a3fe70a2cfaed0cc47d295e26d0241aa6612191feed7a004498270b84

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
72KB

MD5
e486ecc61796ada759f0bd35839334a1

SHA1
bd9f9fad43ca7ed559957f0a5a86aa599e70460c

SHA256
8b38e20a0e6dc2b6f016e886c164b7fb3a5e49d9030b68817da4f57df5b471d4

SHA512
452824c50b3908a1944c0508919d7159a144c0cc1074d1e80e418da8ee530575bc00ad2ae49e7ad652780f6922cd07973bc01783d6e00ccfa1568c7aaea6f6d7

Download Submit
\Users\Admin\AppData\Local\Temp\1928637587\backup.exe

Filesize
72KB

MD5
4f86bde699948501ab5134f61985d48a

SHA1
e3017fc3b92ebff7e8648f77f5cef23a96d4f76b

SHA256
07b84f72465abafa0cff133f6b58a02b895593c01815aae9239e6478d315badd

SHA512
b4360f58ad3c8ff596f699688138d9c8dbced024137a87af9f332e3712476135d492b381e9c096c74047324a57f921431b43db7ffcb06d14000f848e9b1c3f13

Download Submit
memory/496-4343-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/572-4647-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/572-4651-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/876-6904-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/920-8401-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/920-8403-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1328-9504-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1328-9503-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1372-11872-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1500-3553-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1536-10696-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1560-8852-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1560-8851-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1676-7237-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1764-5751-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1764-5747-0x0000000000290000-0x00000000002A0000-memory.dmp

Filesize
64KB

Download
memory/1796-10891-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1796-10890-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1968-8335-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1968-8334-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2008-12008-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2008-12006-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2164-3731-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2240-8685-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2240-8686-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2280-4866-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2384-9794-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2528-12019-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2528-12021-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2540-3996-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2608-3504-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2612-6342-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2612-6343-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2628-10972-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2656-7318-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2656-7317-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2748-3588-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2840-10929-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2840-10923-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2888-7890-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2924-4887-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2936-6762-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2972-7322-0x0000000077840000-0x000000007793A000-memory.dmp

Filesize
1000KB

Download
memory/2972-2958-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2972-6175-0x0000000077840000-0x000000007793A000-memory.dmp

Filesize
1000KB

Download
memory/2972-6176-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2972-6474-0x0000000077840000-0x000000007793A000-memory.dmp

Filesize
1000KB

Download
memory/2972-2071-0x0000000002BC0000-0x0000000002CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2972-2070-0x0000000077840000-0x000000007793A000-memory.dmp

Filesize
1000KB

Download
memory/2972-6473-0x0000000077720000-0x000000007783F000-memory.dmp

Filesize
1.1MB

Download
memory/2972-7321-0x0000000077720000-0x000000007783F000-memory.dmp

Filesize
1.1MB

Download
memory/2972-8204-0x0000000077720000-0x000000007783F000-memory.dmp

Filesize
1.1MB

Download
memory/2972-8205-0x0000000077840000-0x000000007793A000-memory.dmp

Filesize
1000KB

Download
memory/2972-8206-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/2972-2953-0x0000000077720000-0x000000007783F000-memory.dmp

Filesize
1.1MB

Download
memory/2972-6174-0x0000000077720000-0x000000007783F000-memory.dmp

Filesize
1.1MB

Download
memory/2972-2069-0x0000000077720000-0x000000007783F000-memory.dmp

Filesize
1.1MB

Download
memory/3012-4525-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/3012-4520-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download