50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c

Analysis

max time kernel
32s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
Size

78KB
MD5

a0085f9746c0487a76698bf2ac37d4b0
SHA1

a3e14474c0753830ab0f727a2f5de5c5e1e93624
SHA256

50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c
SHA512

d1546aa4ac41e2ca84e6ce56e0a021791105b537b737438f616e787856dfbd5ff527ea874633f4ee58717501ee79bccc32fb51085e292465d97aacac61592f6b
SSDEEP

768:RpQNwC3BEddsEqOt/hyJF+x3BEJwRrPHisKl4qhq:7eTce/U/hKYuKPHisKldhq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Disables RegEdit via registry modification 64 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2512	System Restore.exe
2608	backup.exe
2696	backup.exe
2952	backup.exe
2384	backup.exe
2324	backup.exe
856	backup.exe
1240	backup.exe
1948	backup.exe
2776	backup.exe
2228	System Restore.exe
3028	backup.exe
724	backup.exe
1728	backup.exe
3012	backup.exe
1216	backup.exe
1248	backup.exe
1916	backup.exe
2868	backup.exe
1124	update.exe
1536	backup.exe
1876	backup.exe
1532	backup.exe
2192	update.exe
2572	backup.exe
2812	backup.exe
2428	backup.exe
2420	backup.exe
2384	backup.exe
1868	System Restore.exe
2124	backup.exe
2548	data.exe
2736	backup.exe
2084	System Restore.exe
1604	backup.exe
2440	backup.exe
1212	update.exe
2808	backup.exe
2888	backup.exe
2240	backup.exe
956	backup.exe
688	backup.exe
1056	backup.exe
1680	backup.exe
612	backup.exe
2244	backup.exe
2076	backup.exe
1620	System Restore.exe
1896	backup.exe
864	data.exe
2944	System Restore.exe
1752	backup.exe
892	backup.exe
2248	update.exe
1528	backup.exe
1624	backup.exe
2520	backup.exe
2396	backup.exe
2684	backup.exe
2788	backup.exe
2428	backup.exe
2420	backup.exe
2404	System Restore.exe
856	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
1240	backup.exe
1240	backup.exe
1948	backup.exe
1948	backup.exe
1240	backup.exe
1240	backup.exe
2228	System Restore.exe
2228	System Restore.exe
3028	backup.exe
3028	backup.exe
2228	System Restore.exe
2228	System Restore.exe
1728	backup.exe
1728	backup.exe
3012	backup.exe
3012	backup.exe
3012	backup.exe
3012	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1124	update.exe
1124	update.exe
1124	update.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
2192	update.exe
2192	update.exe
2192	update.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
1248	backup.exe
2384	backup.exe
2384	backup.exe
2384	backup.exe
2384	backup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\backup.exe	System Restore.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\data.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\update.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe	update.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe	System Restore.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\update.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\backup.exe	Process not Found
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe	backup.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\readme.eml	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\data.exe	backup.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\readme.eml	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\backup.exe	Process not Found
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\mcstoredb\update.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\data.exe	Process not Found
File opened for modification	C:\Windows\AppPatch\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\data.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\update.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\BDATunePIA\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\AppPatch\AppPatch64\System Restore.exe	backup.exe
File opened for modification	C:\Windows\AppPatch\Custom\Custom64\backup.exe	update.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\addins\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\naphlpr\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Data.OracleClient\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\data.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\update.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System Restore.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\mscorlib\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\data.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\System.EnterpriseServices\update.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\AppCompat\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe	Process not Found
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\update.exe	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
2512	System Restore.exe
2608	backup.exe
2696	backup.exe
2952	backup.exe
2384	backup.exe
2324	backup.exe
856	backup.exe
1240	backup.exe
1948	backup.exe
2776	backup.exe
2228	System Restore.exe
3028	backup.exe
724	backup.exe
1728	backup.exe
3012	backup.exe
1216	backup.exe
1248	backup.exe
1916	backup.exe
2868	backup.exe
1124	update.exe
1536	backup.exe
1876	backup.exe
1532	backup.exe
2192	update.exe
2572	backup.exe
2812	backup.exe
2428	backup.exe
2420	backup.exe
2384	backup.exe
1868	System Restore.exe
2124	backup.exe
2548	data.exe
2736	backup.exe
2084	System Restore.exe
1604	backup.exe
2440	backup.exe
1212	update.exe
2808	backup.exe
2888	backup.exe
2240	backup.exe
956	backup.exe
688	backup.exe
1056	backup.exe
1680	backup.exe
612	backup.exe
2244	backup.exe
2076	backup.exe
1620	System Restore.exe
1896	backup.exe
864	data.exe
2944	System Restore.exe
1752	backup.exe
892	backup.exe
2248	update.exe
1528	backup.exe
1624	backup.exe
2520	backup.exe
2396	backup.exe
2684	backup.exe
2788	backup.exe
2428	backup.exe
2420	backup.exe
2404	System Restore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2984	1460	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	28
PID 1460 wrote to memory of 2984	1460	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	28
PID 1460 wrote to memory of 2984	1460	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	28
PID 1460 wrote to memory of 2984	1460	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	28
PID 2984 wrote to memory of 2512	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	29
PID 2984 wrote to memory of 2512	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	29
PID 2984 wrote to memory of 2512	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	29
PID 2984 wrote to memory of 2512	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	29
PID 2984 wrote to memory of 2608	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	30
PID 2984 wrote to memory of 2608	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	30
PID 2984 wrote to memory of 2608	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	30
PID 2984 wrote to memory of 2608	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	30
PID 2984 wrote to memory of 2696	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	31
PID 2984 wrote to memory of 2696	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	31
PID 2984 wrote to memory of 2696	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	31
PID 2984 wrote to memory of 2696	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	31
PID 2984 wrote to memory of 2952	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	32
PID 2984 wrote to memory of 2952	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	32
PID 2984 wrote to memory of 2952	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	32
PID 2984 wrote to memory of 2952	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	32
PID 2984 wrote to memory of 2384	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	33
PID 2984 wrote to memory of 2384	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	33
PID 2984 wrote to memory of 2384	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	33
PID 2984 wrote to memory of 2384	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	33
PID 2984 wrote to memory of 2324	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	34
PID 2984 wrote to memory of 2324	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	34
PID 2984 wrote to memory of 2324	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	34
PID 2984 wrote to memory of 2324	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	34
PID 2984 wrote to memory of 856	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	35
PID 2984 wrote to memory of 856	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	35
PID 2984 wrote to memory of 856	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	35
PID 2984 wrote to memory of 856	2984	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	35
PID 1460 wrote to memory of 1152	1460	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	20
PID 1460 wrote to memory of 1152	1460	50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe	20
PID 2512 wrote to memory of 1240	2512	System Restore.exe	36
PID 2512 wrote to memory of 1240	2512	System Restore.exe	36
PID 2512 wrote to memory of 1240	2512	System Restore.exe	36
PID 2512 wrote to memory of 1240	2512	System Restore.exe	36
PID 1240 wrote to memory of 1948	1240	backup.exe	37
PID 1240 wrote to memory of 1948	1240	backup.exe	37
PID 1240 wrote to memory of 1948	1240	backup.exe	37
PID 1240 wrote to memory of 1948	1240	backup.exe	37
PID 1948 wrote to memory of 2776	1948	backup.exe	38
PID 1948 wrote to memory of 2776	1948	backup.exe	38
PID 1948 wrote to memory of 2776	1948	backup.exe	38
PID 1948 wrote to memory of 2776	1948	backup.exe	38
PID 1240 wrote to memory of 2228	1240	backup.exe	39
PID 1240 wrote to memory of 2228	1240	backup.exe	39
PID 1240 wrote to memory of 2228	1240	backup.exe	39
PID 1240 wrote to memory of 2228	1240	backup.exe	39
PID 2228 wrote to memory of 3028	2228	System Restore.exe	40
PID 2228 wrote to memory of 3028	2228	System Restore.exe	40
PID 2228 wrote to memory of 3028	2228	System Restore.exe	40
PID 2228 wrote to memory of 3028	2228	System Restore.exe	40
PID 3028 wrote to memory of 724	3028	backup.exe	41
PID 3028 wrote to memory of 724	3028	backup.exe	41
PID 3028 wrote to memory of 724	3028	backup.exe	41
PID 3028 wrote to memory of 724	3028	backup.exe	41
PID 2228 wrote to memory of 1728	2228	System Restore.exe	42
PID 2228 wrote to memory of 1728	2228	System Restore.exe	42
PID 2228 wrote to memory of 1728	2228	System Restore.exe	42
PID 2228 wrote to memory of 1728	2228	System Restore.exe	42
PID 1728 wrote to memory of 3012	1728	backup.exe	43
PID 1728 wrote to memory of 3012	1728	backup.exe	43

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	data.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	backup.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
  "C:\Users\Admin\AppData\Local\Temp\50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Local\Temp\50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe
    "C:\Users\Admin\AppData\Local\Temp\50806d0319dea4fa4fe4b083f8a49cda90ea0849455471283c72bac94cd2d78c.exe"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\3780582564\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\3780582564\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\3780582564\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\backup.exe
        
        \backup.exe \
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\PerfLogs\backup.exe
        
        C:\PerfLogs\backup.exe C:\PerfLogs\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2776
      - C:\Program Files\System Restore.exe
        
        "C:\Program Files\System Restore.exe" C:\Program Files\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:724
        
        C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3012
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        10⤵
        Disables RegEdit via registry modification
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        10⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2192
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1868
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2124
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2736
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2440
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1620
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1896
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:864
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2944
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2248
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2520
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2396
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2788
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2428
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2420
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2404
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        10⤵
        
        PID:2712
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        10⤵
        
        PID:2012
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        10⤵
        
        PID:1600
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        10⤵
        System policy modification
        
        PID:2004
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        10⤵
        System policy modification
        
        PID:1224
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        10⤵
        
        PID:296
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        9⤵
        
        PID:1968
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        10⤵
        
        PID:2856
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2888
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        9⤵
        
        PID:800
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        10⤵
        
        PID:1752
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        10⤵
        
        PID:892
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        10⤵
        
        PID:2608
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        10⤵
        
        PID:2988
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        10⤵
        
        PID:2680
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        10⤵
        
        PID:2428
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        9⤵
        System policy modification
        
        PID:2420
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        10⤵
        
        PID:2448
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        10⤵
        
        PID:2664
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        10⤵
        
        PID:1608
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        10⤵
        
        PID:2748
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        10⤵
        
        PID:2280
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        10⤵
        
        PID:2268
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        9⤵
        
        PID:1376
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        9⤵
        
        PID:1748
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        9⤵
        
        PID:2636
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        10⤵
        
        PID:2204
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        11⤵
        
        PID:320
        
        C:\Program Files\Common Files\Services\backup.exe
        
        "C:\Program Files\Common Files\Services\backup.exe" C:\Program Files\Common Files\Services\
        8⤵
        
        PID:1588
        
        C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        8⤵
        Drops file in Program Files directory
        
        PID:1784
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        9⤵
        
        PID:1540
        
        C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        8⤵
        Disables RegEdit via registry modification
        
        PID:836
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        9⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:332
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        10⤵
        
        PID:1432
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2576
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        10⤵
        
        PID:2952
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        10⤵
        
        PID:2372
        
        C:\Program Files\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1924
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        10⤵
        
        PID:2664
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        9⤵
        
        PID:2712
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        9⤵
        
        PID:2764
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        9⤵
        
        PID:2268
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        9⤵
        
        PID:1756
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        9⤵
        
        PID:1376
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        9⤵
        
        PID:2668
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        9⤵
        Drops file in Program Files directory
        
        PID:2848
        
        C:\Program Files\Common Files\System\msadc\de-DE\update.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\update.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        10⤵
        
        PID:2204
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        10⤵
        System policy modification
        
        PID:992
        
        C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\System Restore.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        10⤵
        
        PID:1056
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        10⤵
        
        PID:1708
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        10⤵
        
        PID:912
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        10⤵
        
        PID:2244
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:952
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        10⤵
        
        PID:1784
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        10⤵
        
        PID:1456
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        10⤵
        
        PID:2156
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        10⤵
        
        PID:1548
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        10⤵
        
        PID:1428
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        10⤵
        
        PID:1944
        
        C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        7⤵
        Disables RegEdit via registry modification
        
        PID:2328
        
        C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        8⤵
        
        PID:1624
        
        C:\Program Files\DVD Maker\en-US\data.exe
        
        "C:\Program Files\DVD Maker\en-US\data.exe" C:\Program Files\DVD Maker\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2572
        
        C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        8⤵
        
        PID:2676
        
        C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        8⤵
        
        PID:1776
        
        C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        8⤵
        
        PID:2472
        
        C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        8⤵
        
        PID:1580
        
        C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        8⤵
        
        PID:2740
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        9⤵
        Drops file in Program Files directory
        
        PID:2012
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        10⤵
        
        PID:2712
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        10⤵
        
        PID:2420
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        10⤵
        
        PID:2004
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        10⤵
        
        PID:2276
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1948
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        10⤵
        System policy modification
        
        PID:2184
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        10⤵
        
        PID:2212
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        10⤵
        
        PID:2652
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        10⤵
        
        PID:884
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        10⤵
        
        PID:780
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        10⤵
        
        PID:992
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        10⤵
        
        PID:832
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        10⤵
        
        PID:684
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        10⤵
        
        PID:1292
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        10⤵
        
        PID:1316
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        10⤵
        
        PID:1416
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        10⤵
        
        PID:1420
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        10⤵
        
        PID:1188
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        10⤵
        
        PID:2156
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        10⤵
        
        PID:1544
        
        C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        7⤵
        
        PID:1876
        
        C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        8⤵
        
        PID:1648
        
        C:\Program Files\Google\Chrome\Application\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\
        9⤵
        
        PID:2828
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        10⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2600
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        11⤵
        
        PID:2832
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        11⤵
        
        PID:2676
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        11⤵
        
        PID:2680
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        11⤵
        
        PID:2428
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        11⤵
        
        PID:2580
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        11⤵
        
        PID:348
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        11⤵
        
        PID:2728
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        12⤵
        
        PID:1580
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        13⤵
        
        PID:1852
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        10⤵
        
        PID:2712
        
        C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        7⤵
        Drops file in Program Files directory
        
        PID:1552
        
        C:\Program Files\Internet Explorer\de-DE\data.exe
        
        "C:\Program Files\Internet Explorer\de-DE\data.exe" C:\Program Files\Internet Explorer\de-DE\
        8⤵
        
        PID:1588
        
        C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1556
        
        C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        8⤵
        
        PID:1576
        
        C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        8⤵
        
        PID:2212
        
        C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        8⤵
        
        PID:324
        
        C:\Program Files\Internet Explorer\it-IT\update.exe
        
        "C:\Program Files\Internet Explorer\it-IT\update.exe" C:\Program Files\Internet Explorer\it-IT\
        8⤵
        
        PID:1788
        
        C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        8⤵
        
        PID:780
        
        C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        8⤵
        
        PID:992
        
        C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        7⤵
        
        PID:3056
        
        C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2244
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        9⤵
        
        PID:1908
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        10⤵
        
        PID:2932
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        10⤵
        
        PID:2148
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        9⤵
        
        PID:3068
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        10⤵
        
        PID:2328
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        11⤵
        
        PID:2208
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        9⤵
        
        PID:1524
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        10⤵
        
        PID:2592
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        11⤵
        
        PID:2832
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        11⤵
        
        PID:2408
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        11⤵
        
        PID:800
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        10⤵
        
        PID:2656
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        11⤵
        
        PID:2756
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        11⤵
        
        PID:996
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        11⤵
        
        PID:2024
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        11⤵
        
        PID:1144
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1020
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        11⤵
        
        PID:2424
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        11⤵
        
        PID:2712
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
        12⤵
        
        PID:2920
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        11⤵
        
        PID:2000
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        11⤵
        
        PID:1588
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        11⤵
        
        PID:1856
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
        11⤵
        Drops file in Program Files directory
        
        PID:1848
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        12⤵
        
        PID:2240
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        12⤵
        
        PID:2744
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
        13⤵
        
        PID:2888
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
        13⤵
        
        PID:1128
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
        13⤵
        System policy modification
        
        PID:3024
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
        13⤵
        
        PID:2732
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        12⤵
        
        PID:684
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        12⤵
        
        PID:932
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        12⤵
        
        PID:760
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        12⤵
        Disables RegEdit via registry modification
        
        PID:1784
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        12⤵
        
        PID:1568
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        12⤵
        
        PID:1480
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        12⤵
        
        PID:1752
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        12⤵
        
        PID:2012
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        12⤵
        
        PID:900
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        9⤵
        
        PID:2840
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2380
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        11⤵
        
        PID:2576
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        12⤵
        
        PID:2132
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        12⤵
        
        PID:2216
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        11⤵
        
        PID:2324
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        11⤵
        
        PID:2448
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        12⤵
        
        PID:1924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        12⤵
        System policy modification
        
        PID:2588
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        12⤵
        
        PID:1996
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        12⤵
        
        PID:1932
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        12⤵
        System policy modification
        
        PID:2008
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        12⤵
        
        PID:2440
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        12⤵
        
        PID:1756
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        12⤵
        
        PID:2804
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        12⤵
        
        PID:2808
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        12⤵
        
        PID:488
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        13⤵
        
        PID:1684
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        12⤵
        
        PID:2188
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        13⤵
        System policy modification
        
        PID:2860
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:884
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\
        13⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2876
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\
        12⤵
        
        PID:1056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\
        13⤵
        Disables RegEdit via registry modification
        
        PID:3024
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\
        12⤵
        
        PID:2752
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\
        13⤵
        
        PID:1696
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\
        12⤵
        
        PID:1896
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\
        13⤵
        
        PID:760
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\
        12⤵
        
        PID:1048
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\
        13⤵
        
        PID:1724
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\
        12⤵
        
        PID:2156
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\
        13⤵
        
        PID:2288
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\
        12⤵
        
        PID:2464
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\
        13⤵
        
        PID:1628
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\
        12⤵
        
        PID:2656
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\
        13⤵
        
        PID:2192
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\
        12⤵
        
        PID:2692
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\
        13⤵
        
        PID:2832
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\
        12⤵
        
        PID:2952
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\
        13⤵
        
        PID:2504
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\
        12⤵
        
        PID:2428
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\
        13⤵
        
        PID:2924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        11⤵
        
        PID:1924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        12⤵
        
        PID:2612
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        13⤵
        
        PID:1852
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        14⤵
        
        PID:2292
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        12⤵
        
        PID:2296
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        13⤵
        
        PID:1712
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
        14⤵
        System policy modification
        
        PID:2712
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        11⤵
        
        PID:2000
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        12⤵
        
        PID:2356
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
        13⤵
        
        PID:672
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
        14⤵
        
        PID:2344
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
        15⤵
        
        PID:2904
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
        15⤵
        
        PID:1056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
        15⤵
        System policy modification
        
        PID:864
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        13⤵
        
        PID:1664
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        13⤵
        
        PID:1980
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        12⤵
        
        PID:2132
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
        13⤵
        
        PID:2756
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
        13⤵
        
        PID:1144
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
        13⤵
        
        PID:1876
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
        13⤵
        
        PID:348
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        12⤵
        
        PID:1028
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
        13⤵
        
        PID:2160
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
        12⤵
        
        PID:956
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\
        13⤵
        
        PID:608
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\
        14⤵
        
        PID:1456
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\
        13⤵
        
        PID:1428
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\
        13⤵
        
        PID:2012
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        10⤵
        
        PID:1504
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
        11⤵
        
        PID:2672
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
        11⤵
        
        PID:2504
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
        12⤵
        
        PID:1320
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
        13⤵
        
        PID:1868
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
        13⤵
        
        PID:2596
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
        12⤵
        Disables RegEdit via registry modification
        
        PID:2296
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
        13⤵
        
        PID:2412
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
        12⤵
        
        PID:2060
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
        13⤵
        
        PID:344
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
        12⤵
        
        PID:1420
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
        13⤵
        
        PID:608
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
        14⤵
        
        PID:2904
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
        13⤵
        System policy modification
        
        PID:1628
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
        12⤵
        Disables RegEdit via registry modification
        
        PID:2560
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
        11⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2388
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
        12⤵
        
        PID:2684
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
        13⤵
        
        PID:1984
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
        12⤵
        System policy modification
        
        PID:2760
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
        13⤵
        System policy modification
        
        PID:2828
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
        14⤵
        
        PID:2384
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        15⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1856
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
        14⤵
        
        PID:1880
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
        15⤵
        System policy modification
        
        PID:1256
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
        13⤵
        
        PID:1292
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
        12⤵
        
        PID:864
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
        13⤵
        
        PID:888
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
        12⤵
        
        PID:2568
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
        11⤵
        
        PID:2376
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
        12⤵
        
        PID:2604
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
        13⤵
        
        PID:2032
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
        12⤵
        
        PID:2736
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
        13⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:352
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
        12⤵
        Drops file in Program Files directory
        
        PID:340
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
        13⤵
        Disables RegEdit via registry modification
        
        PID:1852
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
        12⤵
        
        PID:1344
        
        C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        8⤵
        
        PID:2360
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        9⤵
        
        PID:1184
        
        C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        10⤵
        
        PID:572
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        10⤵
        
        PID:884
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1256
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        9⤵
        Drops file in Program Files directory
        
        PID:1104
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        10⤵
        
        PID:3036
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        10⤵
        
        PID:2208
        
        C:\Program Files\Java\jre7\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
        10⤵
        
        PID:3068
        
        C:\Program Files\Java\jre7\lib\deploy\data.exe
        
        "C:\Program Files\Java\jre7\lib\deploy\data.exe" C:\Program Files\Java\jre7\lib\deploy\
        10⤵
        
        PID:2216
        
        C:\Program Files\Java\jre7\lib\ext\data.exe
        
        "C:\Program Files\Java\jre7\lib\ext\data.exe" C:\Program Files\Java\jre7\lib\ext\
        10⤵
        
        PID:2524
        
        C:\Program Files\Java\jre7\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
        10⤵
        
        PID:1836
        
        C:\Program Files\Java\jre7\lib\images\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
        10⤵
        System policy modification
        
        PID:2572
        
        C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
        11⤵
        Disables RegEdit via registry modification
        
        PID:2124
        
        C:\Program Files\Java\jre7\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
        10⤵
        
        PID:2660
        
        C:\Program Files\Java\jre7\lib\management\backup.exe
        
        "C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
        10⤵
        
        PID:2484
        
        C:\Program Files\Java\jre7\lib\security\backup.exe
        
        "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
        10⤵
        
        PID:2736
        
        C:\Program Files\Java\jre7\lib\zi\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
        10⤵
        
        PID:2716
        
        C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
        11⤵
        
        PID:1212
        
        C:\Program Files\Java\jre7\lib\zi\America\update.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\update.exe" C:\Program Files\Java\jre7\lib\zi\America\
        11⤵
        
        PID:1192
        
        C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
        12⤵
        
        PID:1344
        
        C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
        12⤵
        
        PID:724
        
        C:\Program Files\Java\jre7\lib\zi\America\Kentucky\data.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Kentucky\data.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
        12⤵
        
        PID:1948
        
        C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\System Restore.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\System Restore.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\
        12⤵
        
        PID:2724
        
        C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
        11⤵
        System policy modification
        
        PID:1216
        
        C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\
        11⤵
        
        PID:2852
        
        C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\
        11⤵
        Disables RegEdit via registry modification
        
        PID:3036
        
        C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\
        11⤵
        
        PID:1544
        
        C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\
        11⤵
        System policy modification
        
        PID:472
        
        C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\
        11⤵
        
        PID:2388
        
        C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\
        11⤵
        
        PID:2524
        
        C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\
        11⤵
        
        PID:2952
        
        C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\
        11⤵
        
        PID:1620
        
        C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        7⤵
        
        PID:2660
        
        C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        8⤵
        
        PID:2284
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        9⤵
        
        PID:296
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        9⤵
        
        PID:1708
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2912
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        9⤵
        
        PID:2596
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        9⤵
        
        PID:908
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        9⤵
        
        PID:2296
        
        C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        8⤵
        
        PID:2160
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        9⤵
        
        PID:2460
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        9⤵
        
        PID:1684
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        9⤵
        
        PID:1256
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        9⤵
        
        PID:1184
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        9⤵
        
        PID:836
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\backup.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        9⤵
        
        PID:2464
        
        C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        8⤵
        
        PID:1724
        
        C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
        9⤵
        
        PID:1628
        
        C:\Program Files\Microsoft Games\Hearts\en-US\data.exe
        
        "C:\Program Files\Microsoft Games\Hearts\en-US\data.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
        9⤵
        
        PID:2332
        
        C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
        9⤵
        System policy modification
        
        PID:1848
        
        C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
        9⤵
        
        PID:1776
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
        9⤵
        
        PID:332
        
        C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
        9⤵
        
        PID:2448
        
        C:\Program Files\Microsoft Games\Mahjong\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\
        8⤵
        
        PID:356
        
        C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
        9⤵
        
        PID:976
        
        C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
        9⤵
        
        PID:1640
        
        C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
        9⤵
        
        PID:1852
        
        C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
        9⤵
        
        PID:2176
        
        C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
        9⤵
        
        PID:1856
        
        C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2284
        
        C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\System Restore.exe" C:\Program Files\Microsoft Games\Minesweeper\
        8⤵
        
        PID:1948
        
        C:\Program Files\Microsoft Games\Minesweeper\de-DE\update.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\de-DE\update.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
        9⤵
        
        PID:1148
        
        C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
        9⤵
        
        PID:1192
        
        C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1568
        
        C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
        9⤵
        
        PID:1548
        
        C:\Program Files\Microsoft Games\Minesweeper\it-IT\update.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\it-IT\update.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
        9⤵
        
        PID:1516
        
        C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
        9⤵
        
        PID:2208
        
        C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        8⤵
        
        PID:1944
        
        C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
        9⤵
        
        PID:2988
        
        C:\Program Files\Microsoft Games\More Games\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\
        9⤵
        
        PID:1732
        
        C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
        9⤵
        
        PID:892
        
        C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
        9⤵
        
        PID:2260
        
        C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\
        9⤵
        
        PID:2280
        
        C:\Program Files\Microsoft Games\More Games\ja-JP\data.exe
        
        "C:\Program Files\Microsoft Games\More Games\ja-JP\data.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\
        9⤵
        
        PID:1248
        
        C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        8⤵
        Drops file in Program Files directory
        
        PID:2448
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
        9⤵
        
        PID:1144
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\System Restore.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\
        10⤵
        
        PID:1712
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\
        10⤵
        
        PID:2856
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\
        10⤵
        
        PID:1212
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\
        10⤵
        
        PID:2648
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\
        10⤵
        
        PID:2316
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\
        10⤵
        
        PID:788
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\
        9⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2744
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\data.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\data.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\
        10⤵
        
        PID:932
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\update.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\update.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\
        10⤵
        
        PID:2168
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\
        10⤵
        
        PID:2140
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\
        10⤵
        
        PID:1048
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\
        10⤵
        
        PID:1516
        
        C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\
        10⤵
        
        PID:1260
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\
        9⤵
        System policy modification
        
        PID:1912
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\
        10⤵
        
        PID:2688
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\
        10⤵
        
        PID:672
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\
        10⤵
        
        PID:2556
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\
        10⤵
        
        PID:2976
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\
        10⤵
        System policy modification
        
        PID:2684
        
        C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\update.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\update.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\
        10⤵
        
        PID:2792
        
        C:\Program Files\Microsoft Games\Purble Place\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\
        8⤵
        
        PID:2488
        
        C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\
        9⤵
        
        PID:352
        
        C:\Program Files\Microsoft Games\Purble Place\en-US\data.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\en-US\data.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\
        9⤵
        
        PID:2624
        
        C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\
        9⤵
        
        PID:1320
        
        C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\
        9⤵
        System policy modification
        
        PID:1484
        
        C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\
        9⤵
        
        PID:2212
        
        C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\
        9⤵
        
        PID:616
        
        C:\Program Files\Microsoft Games\Solitaire\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\System Restore.exe" C:\Program Files\Microsoft Games\Solitaire\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1316
        
        C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\
        9⤵
        
        PID:344
        
        C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\
        9⤵
        
        PID:2600
        
        C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\
        9⤵
        
        PID:2932
        
        C:\Program Files\Microsoft Games\Solitaire\fr-FR\System Restore.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\fr-FR\System Restore.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\
        9⤵
        
        PID:1980
        
        C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\
        9⤵
        
        PID:2800
        
        C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\
        9⤵
        
        PID:2900
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\
        8⤵
        
        PID:2916
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\
        9⤵
        
        PID:2436
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\
        9⤵
        System policy modification
        
        PID:1836
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\
        9⤵
        
        PID:1104
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\
        9⤵
        
        PID:2424
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\
        9⤵
        
        PID:2420
        
        C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\
        9⤵
        
        PID:296
        
        C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        7⤵
        
        PID:856
        
        C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        8⤵
        
        PID:2276
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        9⤵
        
        PID:2100
        
        C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        7⤵
        
        PID:2860
        
        C:\Program Files\Mozilla Firefox\browser\update.exe
        
        "C:\Program Files\Mozilla Firefox\browser\update.exe" C:\Program Files\Mozilla Firefox\browser\
        8⤵
        
        PID:1964
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1244
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        9⤵
        
        PID:992
        
        C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        8⤵
        
        PID:3044
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        9⤵
        
        PID:1892
        
        C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        8⤵
        
        PID:2060
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        8⤵
        
        PID:2156
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        9⤵
        
        PID:760
        
        C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        8⤵
        
        PID:1576
        
        C:\Program Files\MSBuild\System Restore.exe
        
        "C:\Program Files\MSBuild\System Restore.exe" C:\Program Files\MSBuild\
        7⤵
        
        PID:912
        
        C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        8⤵
        
        PID:1420
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        9⤵
        
        PID:2580
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        10⤵
        
        PID:2028
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        10⤵
        System policy modification
        
        PID:2260
        
        C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        7⤵
        
        PID:2728
        
        C:\Program Files\Reference Assemblies\Microsoft\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\
        8⤵
        
        PID:1724
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        9⤵
        
        PID:2484
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        10⤵
        
        PID:2916
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        11⤵
        
        PID:1800
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        11⤵
        
        PID:2376
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        11⤵
        
        PID:2468
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        11⤵
        
        PID:772
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        11⤵
        Disables RegEdit via registry modification
        
        PID:2848
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\
        11⤵
        
        PID:2004
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        10⤵
        
        PID:992
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        11⤵
        
        PID:1520
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\update.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\update.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        11⤵
        
        PID:1908
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\
        11⤵
        
        PID:1428
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2248
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\
        11⤵
        
        PID:1456
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\
        11⤵
        System policy modification
        
        PID:2400
        
        C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        7⤵
        
        PID:2116
        
        C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        8⤵
        
        PID:1628
        
        C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\backup.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        9⤵
        
        PID:324
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        9⤵
        Drops file in Program Files directory
        
        PID:2192
        
        C:\Program Files\VideoLAN\VLC\locale\ach\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\update.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        10⤵
        
        PID:1420
        
        C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2572
        
        C:\Program Files\VideoLAN\VLC\locale\af\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\
        10⤵
        
        PID:2716
        
        C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\
        11⤵
        
        PID:812
        
        C:\Program Files\VideoLAN\VLC\locale\am\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\
        10⤵
        
        PID:2664
        
        C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\
        11⤵
        
        PID:1188
        
        C:\Program Files\VideoLAN\VLC\locale\an\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\an\
        10⤵
        
        PID:1492
        
        C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\
        11⤵
        
        PID:828
        
        C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\
        10⤵
        
        PID:2076
        
        C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\
        11⤵
        
        PID:2264
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\update.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\
        10⤵
        
        PID:616
        
        C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\
        11⤵
        
        PID:2752
        
        C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\
        10⤵
        
        PID:1520
        
        C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\
        11⤵
        
        PID:1908
        
        C:\Program Files\VideoLAN\VLC\locale\az\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\az\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\
        10⤵
        
        PID:1896
        
        C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\
        11⤵
        
        PID:3036
        
        C:\Program Files\VideoLAN\VLC\locale\be\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2860
        
        C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\
        11⤵
        
        PID:2292
        
        C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\
        10⤵
        
        PID:3040
        
        C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\
        11⤵
        
        PID:836
        
        C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\
        10⤵
        System policy modification
        
        PID:2672
        
        C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\
        11⤵
        
        PID:2616
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\
        10⤵
        
        PID:2084
        
        C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\
        11⤵
        
        PID:332
        
        C:\Program Files\VideoLAN\VLC\locale\br\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\
        10⤵
        
        PID:2792
        
        C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\
        11⤵
        
        PID:1916
        
        C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\
        10⤵
        
        PID:884
        
        C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\
        11⤵
        
        PID:3020
        
        C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\
        10⤵
        
        PID:1272
        
        C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\
        11⤵
        
        PID:1056
        
        C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\
        10⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:2888
        
        C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\
        11⤵
        
        PID:1500
        
        C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\
        10⤵
        
        PID:1232
        
        C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\
        11⤵
        
        PID:1404
        
        C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ckb\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\
        10⤵
        
        PID:2400
        
        C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\
        11⤵
        
        PID:1620
        
        C:\Program Files\VideoLAN\VLC\locale\co\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\
        10⤵
        
        PID:1720
        
        C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\
        11⤵
        
        PID:2672
        
        C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\
        10⤵
        
        PID:2428
        
        C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\
        11⤵
        
        PID:2084
        
        C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\
        10⤵
        
        PID:1012
        
        C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\
        11⤵
        
        PID:1588
        
        C:\Program Files\VideoLAN\VLC\locale\da\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\
        10⤵
        Disables RegEdit via registry modification
        
        PID:3012
        
        C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\
        11⤵
        
        PID:800
        
        C:\Program Files\VideoLAN\VLC\locale\de\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\de\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\
        10⤵
        Drops file in Program Files directory
        
        PID:1752
        
        C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\
        11⤵
        
        PID:2944
        
        C:\Program Files\VideoLAN\VLC\locale\el\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\
        10⤵
        
        PID:384
        
        C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\
        11⤵
        
        PID:1532
        
        C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\
        10⤵
        
        PID:1776
        
        C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\
        11⤵
        
        PID:1104
        
        C:\Program Files\VideoLAN\VLC\locale\es\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\
        10⤵
        
        PID:2444
        
        C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\
        11⤵
        
        PID:2628
        
        C:\Program Files\VideoLAN\VLC\locale\et\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\
        10⤵
        
        PID:2736
        
        C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\
        11⤵
        
        PID:2876
        
        C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\
        10⤵
        
        PID:2272
        
        C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\
        11⤵
        
        PID:988
        
        C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\
        10⤵
        
        PID:1568
        
        C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\
        11⤵
        
        PID:2356
        
        C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\
        10⤵
        
        PID:1704
        
        C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\
        11⤵
        
        PID:2988
        
        C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\
        10⤵
        
        PID:2956
        
        C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\
        11⤵
        
        PID:836
        
        C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fr\
        10⤵
        
        PID:2480
        
        C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\
        11⤵
        
        PID:1524
        
        C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\
        10⤵
        
        PID:2008
        
        C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\
        11⤵
        
        PID:2444
        
        C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\
        10⤵
        
        PID:1128
        
        C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\
        11⤵
        
        PID:1964
        
        C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\
        10⤵
        
        PID:1696
        
        C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\
        11⤵
        System policy modification
        
        PID:2272
        
        C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\
        10⤵
        
        PID:3008
        
        C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\
        11⤵
        
        PID:2568
        
        C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gl\
        10⤵
        
        PID:2988
        
        C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\
        11⤵
        
        PID:1784
        
        C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\
        10⤵
        
        PID:2704
        
        C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\
        11⤵
        
        PID:2528
        
        C:\Program Files\VideoLAN\VLC\locale\he\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\
        10⤵
        
        PID:2844
        
        C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\
        11⤵
        
        PID:1224
        
        C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\
        10⤵
        
        PID:1492
        
        C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\
        11⤵
        
        PID:1964
        
        C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\
        10⤵
        
        PID:1216
        
        C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\
        11⤵
        
        PID:1056
        
        C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\
        10⤵
        
        PID:2372
        
        C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\
        11⤵
        System policy modification
        
        PID:2172
        
        C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\
        10⤵
        
        PID:1724
        
        C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\
        11⤵
        Modifies visibility of file extensions in Explorer
        Disables RegEdit via registry modification
        
        PID:3044
        
        C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ia\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2952
        
        C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\
        11⤵
        
        PID:1940
        
        C:\Program Files\VideoLAN\VLC\locale\id\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\id\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\
        10⤵
        
        PID:2684
        
        C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\
        11⤵
        
        PID:2304
        
        C:\Program Files\VideoLAN\VLC\locale\is\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\is\data.exe" C:\Program Files\VideoLAN\VLC\locale\is\
        10⤵
        System policy modification
        
        PID:2528
        
        C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\
        11⤵
        
        PID:1800
        
        C:\Program Files\VideoLAN\VLC\locale\it\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\backup.exe" C:\Program Files\VideoLAN\VLC\locale\it\
        10⤵
        
        PID:2112
        
        C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\data.exe" C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1880
        
        C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ja\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\
        10⤵
        
        PID:1908
        
        C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\
        11⤵
        
        PID:1540
        
        C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\
        10⤵
        
        PID:1888
        
        C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\
        11⤵
        
        PID:2508
        
        C:\Program Files\VideoLAN\VLC\locale\kk\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\kk\
        10⤵
        
        PID:1996
        
        C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\
        11⤵
        
        PID:2616
        
        C:\Program Files\VideoLAN\VLC\locale\km\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\
        10⤵
        
        PID:1864
        
        C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\
        11⤵
        
        PID:2424
        
        C:\Program Files\VideoLAN\VLC\locale\kn\data.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\data.exe" C:\Program Files\VideoLAN\VLC\locale\kn\
        10⤵
        
        PID:1860
        
        C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\
        11⤵
        
        PID:1832
        
        C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\
        10⤵
        
        PID:348
        
        C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\
        11⤵
        
        PID:800
        
        C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\
        10⤵
        Drops file in Program Files directory
        
        PID:1416
        
        C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\
        11⤵
        
        PID:2792
        
        C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\
        10⤵
        
        PID:1256
        
        C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\
        11⤵
        
        PID:1552
        
        C:\Program Files\VideoLAN\VLC\locale\lg\update.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\update.exe" C:\Program Files\VideoLAN\VLC\locale\lg\
        10⤵
        
        PID:3028
        
        C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\
        11⤵
        
        PID:1732
        
        C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\
        10⤵
        
        PID:2016
        
        C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\
        11⤵
        
        PID:2888
        
        C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lv\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\
        10⤵
        Drops file in Program Files directory
        
        PID:2540
        
        C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\
        11⤵
        
        PID:2492
        
        C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mai\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\
        10⤵
        
        PID:2496
        
        C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\
        11⤵
        
        PID:2380
        
        C:\Program Files\VideoLAN\VLC\locale\mk\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\mk\backup.exe" C:\Program Files\VideoLAN\VLC\locale\mk\
        10⤵
        Drops file in Program Files directory
        
        PID:1512
      - C:\Program Files (x86)\backup.exe
        
        "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
        6⤵
        
        PID:1748
        
        C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        7⤵
        
        PID:2352
        
        C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        8⤵
        
        PID:2196
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        9⤵
        
        PID:612
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        9⤵
        Drops file in Program Files directory
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        10⤵
        
        PID:1188
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        10⤵
        
        PID:2148
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        10⤵
        
        PID:892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        10⤵
        
        PID:2788
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        11⤵
        
        PID:2472
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\System Restore.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        10⤵
        
        PID:1008
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        10⤵
        System policy modification
        
        PID:2412
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        11⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        10⤵
        
        PID:2184
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        10⤵
        
        PID:324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        11⤵
        
        PID:884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        12⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        11⤵
        
        PID:1552
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        12⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        13⤵
        
        PID:1632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        11⤵
        
        PID:1848
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        12⤵
        
        PID:2656
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        11⤵
        
        PID:2484
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        12⤵
        
        PID:2540
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        10⤵
        
        PID:2632
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        11⤵
        
        PID:2924
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        10⤵
        
        PID:1600
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        10⤵
        
        PID:2276
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        9⤵
        
        PID:2360
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        10⤵
        
        PID:2132
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        11⤵
        
        PID:2340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        10⤵
        
        PID:912
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        10⤵
        
        PID:3040
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        11⤵
        
        PID:2836
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        11⤵
        
        PID:1724
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        12⤵
        
        PID:952
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        13⤵
        
        PID:1944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        10⤵
        
        PID:560
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        10⤵
        
        PID:2492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        11⤵
        
        PID:2368
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1776
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        12⤵
        
        PID:2648
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        13⤵
        
        PID:2252
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        13⤵
        Disables RegEdit via registry modification
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        13⤵
        
        PID:1640
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        9⤵
        
        PID:1948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        10⤵
        
        PID:1884
        
        C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1044
        
        C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        8⤵
        Drops file in Program Files directory
        
        PID:1620
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        9⤵
        
        PID:2036
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        9⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        10⤵
        Drops file in Program Files directory
        
        PID:1524
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        11⤵
        
        PID:2556
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        12⤵
        
        PID:1848
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\update.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        9⤵
        
        PID:2432
        
        C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        8⤵
        
        PID:2448
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        9⤵
        
        PID:2624
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2664
        
        C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        8⤵
        
        PID:1212
        
        C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        8⤵
        Drops file in Program Files directory
        
        PID:1720
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        9⤵
        
        PID:2204
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1964
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        9⤵
        
        PID:448
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        10⤵
        
        PID:2460
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        9⤵
        
        PID:1696
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        9⤵
        
        PID:2828
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        9⤵
        System policy modification
        
        PID:2976
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        9⤵
        Drops file in Program Files directory
        
        PID:1188
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        10⤵
        
        PID:1888
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        10⤵
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        10⤵
        
        PID:2568
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        10⤵
        
        PID:2656
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        10⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        10⤵
        
        PID:1248
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        10⤵
        
        PID:2588
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        10⤵
        
        PID:2424
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        10⤵
        
        PID:812
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        10⤵
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        10⤵
        
        PID:1876
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        9⤵
        Disables RegEdit via registry modification
        Drops file in Program Files directory
        
        PID:2668
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        10⤵
        System policy modification
        
        PID:768
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2376
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        10⤵
        System policy modification
        
        PID:2840
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        10⤵
        
        PID:616
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        10⤵
        
        PID:2920
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        10⤵
        
        PID:2744
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1512
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        10⤵
        
        PID:2060
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        10⤵
        
        PID:2172
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        9⤵
        
        PID:2220
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        9⤵
        
        PID:1784
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        10⤵
        
        PID:2372
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        9⤵
        
        PID:2488
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        10⤵
        
        PID:1732
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        10⤵
        
        PID:2504
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2956
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        10⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        10⤵
        
        PID:3024
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1864
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        9⤵
        
        PID:2264
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        10⤵
        
        PID:2664
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        10⤵
        
        PID:1664
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1660
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        11⤵
        
        PID:1504
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        11⤵
        
        PID:2316
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        11⤵
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1252
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        11⤵
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        11⤵
        System policy modification
        
        PID:2944
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        11⤵
        
        PID:1968
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        11⤵
        
        PID:1632
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1920
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        11⤵
        
        PID:1912
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        11⤵
        
        PID:1420
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        11⤵
        
        PID:2556
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
        11⤵
        
        PID:1836
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
        11⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
        11⤵
        
        PID:2588
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
        11⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
        11⤵
        
        PID:2628
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1800
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        9⤵
        
        PID:1320
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        10⤵
        
        PID:1916
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        9⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:2860
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        9⤵
        
        PID:688
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        10⤵
        
        PID:2004
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        10⤵
        Disables RegEdit via registry modification
        
        PID:1680
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
        11⤵
        
        PID:2732
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        9⤵
        
        PID:1880
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        9⤵
        
        PID:2140
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        9⤵
        
        PID:2760
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
        10⤵
        System policy modification
        
        PID:1980
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
        10⤵
        
        PID:2148
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
        10⤵
        
        PID:2900
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
        10⤵
        
        PID:2000
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
        10⤵
        
        PID:2536
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
        10⤵
        
        PID:2556
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
        10⤵
        
        PID:1652
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        9⤵
        Drops file in Program Files directory
        
        PID:1604
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
        10⤵
        
        PID:2432
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
        10⤵
        
        PID:2024
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
        10⤵
        
        PID:812
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\
        10⤵
        
        PID:1800
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\
        10⤵
        
        PID:1708
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\
        10⤵
        
        PID:772
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2136
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\
        10⤵
        
        PID:616
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2412
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\
        10⤵
        
        PID:2460
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\
        10⤵
        
        PID:988
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\
        10⤵
        
        PID:1192
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\
        10⤵
        
        PID:2932
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\
        10⤵
        
        PID:1232
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\
        10⤵
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\
        10⤵
        
        PID:1784
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\
        10⤵
        
        PID:2720
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\
        10⤵
        
        PID:1628
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\
        10⤵
        
        PID:2536
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\
        10⤵
        
        PID:2404
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\
        10⤵
        
        PID:2548
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\
        10⤵
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\
        10⤵
        
        PID:2420
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\
        10⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\
        10⤵
        
        PID:2664
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\
        10⤵
        
        PID:2912
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\
        10⤵
        
        PID:348
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\
        10⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\
        10⤵
        
        PID:992
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\
        10⤵
        
        PID:2244
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\
        10⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\
        10⤵
        
        PID:2836
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\
        10⤵
        
        PID:2016
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\
        10⤵
        
        PID:2356
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\
        10⤵
        
        PID:3036
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\
        10⤵
        
        PID:2532
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\
        10⤵
        
        PID:2576
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\
        10⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\
        10⤵
        
        PID:1524
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\
        10⤵
        
        PID:1844
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\
        10⤵
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\
        10⤵
        
        PID:2280
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\
        10⤵
        
        PID:2528
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\
        10⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        9⤵
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
        10⤵
        
        PID:1932
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\
        10⤵
        
        PID:1484
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\
        10⤵
        
        PID:3020
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\
        10⤵
        
        PID:2352
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\
        10⤵
        
        PID:2752
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\
        10⤵
        
        PID:2244
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\
        9⤵
        
        PID:1928
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\
        10⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2696
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\
        10⤵
        
        PID:1528
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\
        10⤵
        System policy modification
        
        PID:2148
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\
        10⤵
        
        PID:1260
        
        C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2812
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\
        9⤵
        
        PID:2496
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:324
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\
        10⤵
        
        PID:1728
        
        C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\
        11⤵
        
        PID:1984
        
        C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\
        9⤵
        
        PID:1600
        
        C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\
        9⤵
        
        PID:764
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\
        9⤵
        
        PID:1688
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1492
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\
        11⤵
        
        PID:1556
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\
        10⤵
        
        PID:2276
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\
        11⤵
        
        PID:1400
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:788
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\
        11⤵
        
        PID:2412
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\
        11⤵
        
        PID:3028
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\
        11⤵
        
        PID:1756
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\
        9⤵
        
        PID:2140
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\
        10⤵
        Drops file in Program Files directory
        
        PID:2036
        
        C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\
        11⤵
        
        PID:2508
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\
        9⤵
        
        PID:2160
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\
        10⤵
        
        PID:2676
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\
        9⤵
        
        PID:2068
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\
        10⤵
        
        PID:2996
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\
        12⤵
        
        PID:1948
        
        C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        8⤵
        
        PID:2280
        
        C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        8⤵
        
        PID:2424
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2628
        
        C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        8⤵
        
        PID:352
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        9⤵
        
        PID:768
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        10⤵
        
        PID:1408
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        10⤵
        
        PID:2136
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        10⤵
        
        PID:2316
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        10⤵
        Disables RegEdit via registry modification
        
        PID:3048
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        10⤵
        
        PID:2144
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        10⤵
        
        PID:1892
        
        C:\Program Files (x86)\Common Files\System\de-DE\update.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\update.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        9⤵
        
        PID:1540
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        9⤵
        
        PID:2696
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        9⤵
        
        PID:2904
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        9⤵
        
        PID:2140
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        9⤵
        
        PID:2216
        
        C:\Program Files (x86)\Common Files\System\ja-JP\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\System Restore.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2644
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2148
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        10⤵
        
        PID:2404
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        10⤵
        
        PID:892
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        10⤵
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        10⤵
        
        PID:1436
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        10⤵
        
        PID:2660
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        10⤵
        
        PID:1408
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
        9⤵
        
        PID:2196
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\
        10⤵
        
        PID:2920
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        9⤵
        Drops file in Program Files directory
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        10⤵
        System policy modification
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        10⤵
        
        PID:1968
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        10⤵
        
        PID:2172
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        10⤵
        
        PID:760
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        10⤵
        System policy modification
        
        PID:2964
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        10⤵
        
        PID:2520
        
        C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        7⤵
        
        PID:2652
        
        C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        8⤵
        
        PID:3024
        
        C:\Program Files (x86)\Google\Temp\backup.exe
        
        "C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\
        8⤵
        
        PID:2268
        
        C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        8⤵
        
        PID:1436
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        9⤵
        
        PID:2380
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        9⤵
        System policy modification
        
        PID:2184
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        10⤵
        
        PID:2376
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        11⤵
        
        PID:1028
        
        C:\Program Files (x86)\Google\Update\Install\System Restore.exe
        
        "C:\Program Files (x86)\Google\Update\Install\System Restore.exe" C:\Program Files (x86)\Google\Update\Install\
        9⤵
        
        PID:2352
        
        C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\data.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\data.exe" C:\Program Files (x86)\Google\Update\Install\{1FD4E3A4-6FE0-492C-90E9-7EE360CDB9FF}\
        10⤵
        
        PID:1756
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        9⤵
        
        PID:1444
        
        C:\Program Files (x86)\Internet Explorer\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\
        7⤵
        
        PID:2728
        
        C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        8⤵
        
        PID:2544
        
        C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        8⤵
        
        PID:912
        
        C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        8⤵
        Disables RegEdit via registry modification
        
        PID:1944
        
        C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        8⤵
        
        PID:2268
        
        C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        8⤵
        
        PID:2380
        
        C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        8⤵
        
        PID:2204
        
        C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        8⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        7⤵
        
        PID:2916
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        8⤵
        
        PID:3044
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        9⤵
        
        PID:356
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        10⤵
        
        PID:1428
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        10⤵
        
        PID:1752
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
        11⤵
        
        PID:760
        
        C:\Program Files (x86)\Microsoft Office\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\System Restore.exe" C:\Program Files (x86)\Microsoft Office\
        7⤵
        
        PID:2604
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        8⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\data.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
        9⤵
        
        PID:2760
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2572
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
        10⤵
        
        PID:2908
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        8⤵
        System policy modification
        
        PID:1188
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
        9⤵
        Disables RegEdit via registry modification
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
        9⤵
        
        PID:2776
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
        9⤵
        
        PID:2076
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        8⤵
        Drops file in Program Files directory
        
        PID:2752
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\update.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\
        9⤵
        Drops file in Program Files directory
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\
        10⤵
        
        PID:2172
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
        9⤵
        
        PID:1404
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\
        10⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\
        10⤵
        
        PID:1652
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\
        10⤵
        
        PID:1148
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft Office\Office14\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        8⤵
        Drops file in Program Files directory
        
        PID:2636
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\
        9⤵
        
        PID:1144
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\
        10⤵
        
        PID:3064
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\
        10⤵
        
        PID:1904
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\
        10⤵
        
        PID:988
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\
        11⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\
        12⤵
        
        PID:992
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\
        12⤵
        
        PID:2924
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\
        12⤵
        
        PID:1544
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\
        12⤵
        Disables RegEdit via registry modification
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\
        12⤵
        
        PID:2068
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1148
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\
        12⤵
        
        PID:2556
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\
        12⤵
        
        PID:1604
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1244
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\
        12⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\
        12⤵
        
        PID:1492
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\
        12⤵
        
        PID:1272
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\
        12⤵
        Disables RegEdit via registry modification
        
        PID:884
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\
        12⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\
        12⤵
        
        PID:2576
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\
        10⤵
        
        PID:788
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\
        10⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\
        10⤵
        
        PID:2560
        
        C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1036\
        9⤵
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\3082\
        9⤵
        
        PID:2132
        
        C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\
        9⤵
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\
        9⤵
        
        PID:2476
        
        C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\
        9⤵
        
        PID:2728
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\
        9⤵
        
        PID:2464
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\
        10⤵
        
        PID:2396
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\
        10⤵
        
        PID:1908
        
        C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\
        9⤵
        
        PID:1752
        
        C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\
        9⤵
        
        PID:1652
        
        C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\
        10⤵
        
        PID:2020
        
        C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\
        9⤵
        System policy modification
        
        PID:2360
        
        C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\
        10⤵
        
        PID:2428
        
        C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\
        11⤵
        
        PID:1864
        
        C:\Program Files (x86)\Microsoft Office\Office14\FORMS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\FORMS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\FORMS\
        9⤵
        
        PID:2708
        
        C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\
        10⤵
        
        PID:2412
      - C:\Users\System Restore.exe
        
        "C:\Users\System Restore.exe" C:\Users\
        6⤵
        
        PID:2468
        
        C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        7⤵
        
        PID:2132
        
        C:\Users\Admin\Contacts\update.exe
        
        C:\Users\Admin\Contacts\update.exe C:\Users\Admin\Contacts\
        8⤵
        
        PID:356
        
        C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        8⤵
        
        PID:2016
        
        C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        8⤵
        
        PID:2172
        
        C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        8⤵
        
        PID:2012
        
        C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        8⤵
        
        PID:2140
        
        C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        8⤵
        
        PID:2408
        
        C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2436
        
        C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        8⤵
        
        PID:1044
        
        C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        8⤵
        
        PID:3024
        
        C:\Users\Admin\Searches\data.exe
        
        C:\Users\Admin\Searches\data.exe C:\Users\Admin\Searches\
        8⤵
        Disables RegEdit via registry modification
        
        PID:2528
        
        C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        8⤵
        
        PID:2084
        
        C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        7⤵
        
        PID:2300
        
        C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        8⤵
        
        PID:1588
        
        C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        8⤵
        
        PID:1788
        
        C:\Users\Public\Music\backup.exe
        
        C:\Users\Public\Music\backup.exe C:\Users\Public\Music\
        8⤵
        
        PID:2264
        
        C:\Users\Public\Music\Sample Music\backup.exe
        
        "C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\
        9⤵
        
        PID:1212
        
        C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        8⤵
        
        PID:768
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        9⤵
        
        PID:1480
        
        C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        8⤵
        
        PID:2848
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        9⤵
        
        PID:1260
        
        C:\Users\Public\Videos\System Restore.exe
        
        "C:\Users\Public\Videos\System Restore.exe" C:\Users\Public\Videos\
        8⤵
        
        PID:2032
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        9⤵
        
        PID:2704
      - C:\Windows\backup.exe
        
        C:\Windows\backup.exe C:\Windows\
        6⤵
        Drops file in Windows directory
        
        PID:1660
        
        C:\Windows\addins\backup.exe
        
        C:\Windows\addins\backup.exe C:\Windows\addins\
        7⤵
        
        PID:976
        
        C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        7⤵
        
        PID:2664
        
        C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        7⤵
        Drops file in Windows directory
        
        PID:1932
        
        C:\Windows\AppPatch\AppPatch64\System Restore.exe
        
        "C:\Windows\AppPatch\AppPatch64\System Restore.exe" C:\Windows\AppPatch\AppPatch64\
        8⤵
        
        PID:2376
        
        C:\Windows\AppPatch\Custom\update.exe
        
        C:\Windows\AppPatch\Custom\update.exe C:\Windows\AppPatch\Custom\
        8⤵
        Drops file in Windows directory
        
        PID:2728
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        9⤵
        
        PID:3060
        
        C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        8⤵
        
        PID:988
        
        C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        8⤵
        
        PID:2724
        
        C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        8⤵
        
        PID:1516
        
        C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2176
        
        C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        8⤵
        
        PID:560
        
        C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        8⤵
        
        PID:2916
        
        C:\Windows\assembly\backup.exe
        
        C:\Windows\assembly\backup.exe C:\Windows\assembly\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        8⤵
        Drops file in Windows directory
        
        PID:1928
        
        C:\Windows\assembly\GAC\ADODB\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\
        9⤵
        
        PID:2860
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:2764
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        9⤵
        Disables RegEdit via registry modification
        
        PID:1012
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:2316
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        9⤵
        Drops file in Windows directory
        
        PID:2344
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        10⤵
        Disables RegEdit via registry modification
        
        PID:2276
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
        10⤵
        
        PID:1540
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\update.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\update.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        9⤵
        
        PID:1756
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:1480
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        9⤵
        
        PID:1848
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:1252
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        9⤵
        Drops file in Windows directory
        
        PID:2984
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        10⤵
        
        PID:2752
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        9⤵
        System policy modification
        
        PID:1376
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:320
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2840
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:2624
        
        C:\Windows\assembly\GAC_32\data.exe
        
        C:\Windows\assembly\GAC_32\data.exe C:\Windows\assembly\GAC_32\
        8⤵
        Drops file in Windows directory
        
        PID:3064
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
        9⤵
        Drops file in Windows directory
        
        PID:1892
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        10⤵
        
        PID:1696
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\
        9⤵
        
        PID:2344
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        10⤵
        
        PID:2124
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        9⤵
        
        PID:2176
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:1752
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
        9⤵
        Drops file in Windows directory
        
        PID:1724
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\
        10⤵
        
        PID:836
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        9⤵
        Drops file in Windows directory
        
        PID:3024
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        10⤵
        
        PID:1020
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
        9⤵
        
        PID:2648
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\
        10⤵
        
        PID:2296
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
        9⤵
        
        PID:932
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:864
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        9⤵
        Drops file in Windows directory
        
        PID:888
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
        10⤵
        
        PID:3068
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\data.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\data.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\
        10⤵
        
        PID:1516
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2520
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\
        10⤵
        
        PID:1316
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\
        10⤵
        
        PID:2580
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\
        10⤵
        
        PID:2616
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\
        9⤵
        
        PID:2984
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\
        10⤵
        
        PID:2912
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        9⤵
        
        PID:856
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        10⤵
        
        PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
      C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
      C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
      C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2324
  - - C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
      C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
3a4a27ac16da54f8beff51b95b1c9957

SHA1
a707401eaa7920548a529f20b2b2a72c6e11e0da

SHA256
f8a4ed6e8ebabda616f46791307491a111d1b477ccaf016799ed18e4012d99ab

SHA512
7df39d1e9d2ac1a30197375b50d9cbf5420c2d6db5cf82918b9b4dc4729c63843abdb48499cb7ed480375cdc174d5a94f4784087e0dcfe8d1c67bfc650055966

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
cd7d50d0592c2c83ae95189f819698cf

SHA1
a89b99ebbbab1b3fe6eb72b888e1e1d09986797d

SHA256
66b627aa7ebdca6e32b3986c175abbd007894a435826a40fe7d345c9f65a66ba

SHA512
049dafacf92fd0030bce65225e1d6be6be43257efbd8a39e31dfaffddee94824c5af569d5f005db6bb3d3829d6c36daf59b7a2a774a4cb456e41fda4b609b576

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
a2179021c529808f1d1707e49ebc1299

SHA1
9eca68a2cb4190c787af625ec865d544f7db6b75

SHA256
621fe56173e58796dc7dfb716490cf19c3942322be82409f9b7dbe0524288006

SHA512
fa9874cc8765fb0f23a426e0bc40c7a5f8850048fbaaf99aaece353a0646945e1751bc635d186e10f4907c39d76760757f17e2273fd6e2f4784873129c19073d

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
993a3cbb346167ce6410ac608a7088db

SHA1
5e68c0fe06b7f763616a0aa85ee8bb7023a8aed0

SHA256
89eff6444dd54163a16ba0d5803f22e8a9debacb9fbcaedc06bfdc759069bb64

SHA512
8e093ae97eef29461366ecd9d3a0fd1539fc4c1a5c8f4563a4f2dbdf631d805953560c9fdaa4da386709ac22fcec49b17f522752af6b009402d91d8217fa8159

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
2d8500742eacd3ffabf72aecf1625089

SHA1
e26163ad3f812745c89dcfca2d63e371626afbfa

SHA256
0d05c5929f184656d3a40f25ba29f7a2e32d783608091ebd16e7340db2bd5aa4

SHA512
c7dc56d27880b439eb74ee7a073ac46a08111050889f4e7678230125e782927c99a8a135791762c38697c884c69078a04c9fe5dcdddb24f2a5eb5115665cf673

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
dfa46930a74c8d740bb6583e9f5356ec

SHA1
40d386cd98ce91eaaf16b4637ad2a59c3c6027cb

SHA256
33983463bec73870a90a5a3b9123f59ebee0e5952c4f940a166d7e7aec5d8e3b

SHA512
5331ff202db0f7d9068a8d53240642588f58cea1fe14337057efac4018fcbddabea0dedc67aed738cc11b2b3dd9707094b3b2078e95ccae41d68a44e1d54543c

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
5affd33797142b8f724ef8790aa27e11

SHA1
4a7365208d6d75e942759138db19d4064a37ffb4

SHA256
336a14a31fca4f4c3415f311e94ead34f97396ecfc6a9ff777493a128f356158

SHA512
0ba7c398db7b6ee4f6a00e290f6f71ebb8f03e3c5985efa64af9006f7f10d8c127c14a0041fe5a1b2c5c99be11b788ef5e8d3a51eeeaa6ea7f281b5afdcba822

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
f940acf842e4360ce3b658b88ca017b0

SHA1
94f98da7cde19b53b2aeb50ab3143d6fac423c5f

SHA256
0da7b32b50fc06d6e9b0eebbf4fb9006b9cbc0f4e9f7674c11cd7b5f3dc50935

SHA512
221b7fb535cb1e069ded58f3e60f90ea39e6c4310a24bb1516ecbdcf26ce400ddb63a92159c2a87e6d980f2e66933c2980e5edf584bdaf6f1af35c0f392b4030

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
25KB

MD5
83829d5cf219666f35af614b55de11f3

SHA1
1ad8f6e2a1d5de56f85760ac9ad2b87e36189140

SHA256
28fa904f08e1de810e91651296d5a4a47b10fbf6e502acfb1b6f568ebf7fd4fd

SHA512
12cc904485bbb45b25db04fabc16cd03ac7757404de3c86ace2ac0c5eb708c3f7bf52ef033cd4cd5cc33baace294a879e3f66e7b5039e930a4d3cc62e56f1450

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
561b9e0a4b6d25a29c05685899bacd28

SHA1
fac0ce4ea59eaf9294885b0732874a7a45ce9dd7

SHA256
b2e736df142fe82ffe1fd6b5b37b3ae5cec315f81d647a55e082a169a62fbaea

SHA512
9d60233edb7c3bb748426fee36c8b5290ca4ead9ed573456933cb9e8a51d32ebe41b5816601c62974347fe5ef0e88dae3d4290a4833933b4e3a4a79526f74fdb

Download Submit
C:\backup.exe

Filesize
78KB

MD5
b88523a94c967f01c7a2c387e27bb0bd

SHA1
8c123d4d40238ef5b583bc77259a0fc2006cfbbd

SHA256
0c70d547bd9d08465dc21dd263aeeacfdc93dd6018cbdd65679d1e8ae10c867b

SHA512
e82cf406040ce7d775505deecad7337b11028afbce1db14631abd7d0b1e9a5eca2b07c22cf40ca18c27968f9b960f4c5d05c827567ca32aaa3412f5f40a3a405

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
58891f3adf2d5ad59e516a59cdd87d39

SHA1
c65456130b03e71895ef698fc4e50bfec4fb7b0e

SHA256
fc36a259bb42d93c9c8a1d4cc3b4aed4f84c2b2d0a0408345e67ddf3caf5424b

SHA512
b8e54547796455d890223900d605a3df956380b7fe547f7eaaa16175c87b53c53e3da42d05bb2408b31689b48676675323b345c9a3ff9c575a8c83626e8adc4d

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
78KB

MD5
f48c35ab453acb3a67ac19d78f160b32

SHA1
bb17cb987890b914919bd971f997d25745b8737e

SHA256
0aa9644a93b249adb206100217776c12ac93037c83af14481273179e5ec4bdea

SHA512
7a3a78382b4f8bde08028d3515239be55d6a8f72af0e56385dd40715d2faca21c5c4257e671d6d63e234937e758d4ad1ef30b3b601988c6f9f3cc0cb8016343f

Download Submit
\PerfLogs\backup.exe

Filesize
78KB

MD5
174e552bb9a6c99281dc6d2a0060e3ef

SHA1
388846d297b980aad81d71e6267d3062845aa1b0

SHA256
9d9155cb330f6b01b93146b113d0da762d5d744dbfca19573013fa0eb832d5c7

SHA512
d376a0e0720c24be547c5882ff01489e223878890bc41afb691923d556d78c165639d9615be754b56539456f4fa763496c429e4c24a77b7671b526e8bc17f5b9

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
78KB

MD5
1c32d7022366d02b8004092b9b1c7bc7

SHA1
63453ae6d5931344d9733509deca123e16d5d632

SHA256
b3d52635067620115c990f23a88655489a570e3f029ae5efe4db0b015ae36c82

SHA512
f836a6ae8f34baf3ef4ab751883d25d3dbdd5595872e95123116288fa4e4be5642be09acdf38a41aff61289ab27efed5de35a3416c582204d56c424096fcb42f

Download Submit
\Program Files\Common Files\Microsoft Shared\Filters\backup.exe

Filesize
78KB

MD5
7bd82599f1dcb6e3dd99114dc69a00c9

SHA1
fdc6f53a475697aa3c6b56b83d0a45cd4e3360c3

SHA256
8dff50109b9b30b14fe31b959f7ac108864be12a8304eb0ae932f20f89c107de

SHA512
90cf7668f94e62d9abba41d7902654b7e0c324d28bb95c42b9eba349656039b14b690f4502fd05f086735d4757719c4976fb5cdf0947b9a7a794e72210df0014

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe

Filesize
78KB

MD5
49a875efb20e15c38c1cb2b2af7a5281

SHA1
845e37c8d965ce6d8db253c19e13778fe88856f4

SHA256
48345c4998c987c22d35348d7dc0133b108d15cbe98f17e7fba677dea0b62ba0

SHA512
2109acab208161e91462332aafa040a09260e5f1890f3fd9cdc2e98c8016fc63bec15c285a8a56bc7303725a25370d46201c40a0c4215bb5e4a2419a60971d6b

Download Submit
\Program Files\Common Files\Microsoft Shared\ink\backup.exe

Filesize
78KB

MD5
d4674d52ded6df466a0c5ecb043bc7e1

SHA1
e3543eee351f1cf4762daaa91c17e0b974eb44a6

SHA256
6f9a1cd39ba1b2e026d809f2e4e677ee5092286dd090290d04275ba93de46141

SHA512
ca282e844914a5015a63b4afb5b78f6cb24fc19767cd175c3c2523b28e46ad59a63c0979b08939427272b98372762c5ee66aaaf1b71274eff6dc58a2c8a2c61d

Download Submit
\Users\Admin\AppData\Local\Temp\3780582564\System Restore.exe

Filesize
78KB

MD5
31f679b0add06ce9244250e2f4f6d18b

SHA1
84d7ad3346f00ccc48792cf03a14fa366a5c6e6f

SHA256
5526c164ec213a5c0f50cdceb4f13e24153058d303a4f9e3ba156cd73e08d8eb

SHA512
d2e4fb64b60d49d8f1ff6c96bedd2e8883c59af70c71be422a0087bd5ee73b373d6bbf73c87ebb2e30db672275aa71400b551ce1e4fc56f700a72ff4db26bb6a

Download Submit
memory/320-8441-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/320-8442-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/348-11331-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/724-219-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/724-213-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/856-94-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/992-8299-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/992-8300-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1104-7534-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1124-308-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1124-313-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1124-309-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1124-310-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/1152-98-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1152-100-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1216-258-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1216-4689-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1216-260-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1240-222-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1240-183-0x0000000000340000-0x0000000000355000-memory.dmp

Filesize
84KB

Download
memory/1240-182-0x0000000000340000-0x0000000000355000-memory.dmp

Filesize
84KB

Download
memory/1240-126-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1248-358-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-378-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-317-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-282-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-281-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-290-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-296-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-347-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1248-369-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-343-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-303-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1248-269-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1248-360-0x00000000005B0000-0x00000000005C5000-memory.dmp

Filesize
84KB

Download
memory/1252-8370-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1272-8528-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1272-8527-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1456-6521-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1456-6522-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1460-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1460-138-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1460-124-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1480-8322-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1516-7990-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1516-7989-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1532-341-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1536-322-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1544-11425-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1552-11039-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1572-9963-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/1572-9964-0x0000000077700000-0x00000000777FA000-memory.dmp

Filesize
1000KB

Download
memory/1572-10844-0x0000000077700000-0x00000000777FA000-memory.dmp

Filesize
1000KB

Download
memory/1624-8490-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1696-8547-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1728-326-0x00000000003A0000-0x00000000003B5000-memory.dmp

Filesize
84KB

Download
memory/1728-241-0x00000000003A0000-0x00000000003B5000-memory.dmp

Filesize
84KB

Download
memory/1728-231-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1728-307-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1752-8606-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1752-8607-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1864-9285-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1864-9283-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1868-410-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1876-328-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1876-333-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1916-283-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1916-289-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1936-10916-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1940-8378-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/1948-141-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1948-173-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1948-4655-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1948-153-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/2028-6290-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2028-6289-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2124-4515-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2132-10989-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2132-10990-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2172-7429-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2184-10722-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2184-10723-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2192-348-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2192-349-0x0000000000020000-0x0000000000035000-memory.dmp

Filesize
84KB

Download
memory/2192-352-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2204-7618-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2204-7614-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2228-256-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2228-199-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/2228-306-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/2244-5846-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2244-5847-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2264-9080-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2324-80-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2336-11404-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2336-11406-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2384-68-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2384-400-0x00000000005C0000-0x00000000005D5000-memory.dmp

Filesize
84KB

Download
memory/2384-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2420-390-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2420-387-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2428-379-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2460-9067-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2460-9068-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2512-221-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2512-125-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/2512-152-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2528-7563-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2560-9504-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2560-9505-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2572-363-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2572-359-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2592-9425-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2608-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2608-27-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2660-4529-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2696-186-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2712-10604-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2712-10603-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2764-10710-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2776-172-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2812-370-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2840-4630-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2856-9254-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2856-9255-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2868-301-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2952-55-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2952-53-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2984-140-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-159-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-212-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-214-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-52-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-1-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2984-77-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-198-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-89-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-88-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-13-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-65-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-14-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-181-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-26-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-25-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-185-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-180-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2984-139-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2984-39-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/3012-268-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/3012-327-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3012-257-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/3012-248-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/3012-345-0x0000000000430000-0x0000000000445000-memory.dmp

Filesize
84KB

Download
memory/3028-210-0x00000000003E0000-0x00000000003F5000-memory.dmp

Filesize
84KB

Download
memory/3028-218-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3048-6733-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads