Analysis
-
max time kernel
139s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:28
Static task
static1
Behavioral task
behavioral1
Sample
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe
Resource
win10v2004-20240426-en
General
-
Target
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe
-
Size
78KB
-
MD5
6c9b5c86dd54044859967bf236fb5009
-
SHA1
47d6834e959384cbe4d7b6070c905a1346f50dc1
-
SHA256
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a
-
SHA512
20f2180c4f955b753bd67cdee988ead838431342b90dd6c28a73d8acce3d180393764c7044a07d1c1db8d8d49f90b788f67bb7e19beb314875ba259f01dc499d
-
SSDEEP
768:hpQNwC3BEddsEqOt/hyJF+x3BEJwRrPHisKl4qh6:reTce/U/hKYuKPHisKldh6
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs
Processes:
System Restore.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" System Restore.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" -
Disables RegEdit via registry modification 64 IoCs
Processes:
backup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" data.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" -
Executes dropped EXE 64 IoCs
Processes:
update.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exepid process 2028 update.exe 2644 backup.exe 2920 backup.exe 2756 backup.exe 2528 backup.exe 2500 backup.exe 3032 backup.exe 2744 backup.exe 2876 backup.exe 2476 backup.exe 792 backup.exe 1200 backup.exe 2044 data.exe 2096 System Restore.exe 808 backup.exe 2132 backup.exe 1324 backup.exe 1096 update.exe 2964 backup.exe 2216 System Restore.exe 2292 backup.exe 760 backup.exe 1440 backup.exe 2596 backup.exe 2804 data.exe 2308 backup.exe 2756 backup.exe 2816 backup.exe 2568 backup.exe 2300 backup.exe 2740 backup.exe 3032 backup.exe 2168 backup.exe 316 backup.exe 300 backup.exe 2488 update.exe 852 backup.exe 2368 backup.exe 1920 backup.exe 2320 backup.exe 988 backup.exe 1488 backup.exe 648 backup.exe 2472 backup.exe 1776 backup.exe 1828 backup.exe 2952 backup.exe 2068 backup.exe 2924 backup.exe 2340 backup.exe 1720 backup.exe 2684 backup.exe 3064 backup.exe 2296 backup.exe 2608 System Restore.exe 2664 backup.exe 2752 backup.exe 2548 backup.exe 2552 System Restore.exe 2364 backup.exe 2848 backup.exe 2696 backup.exe 1788 backup.exe 1632 backup.exe -
Loads dropped DLL 64 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exeupdate.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exepid process 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 2028 update.exe 2028 update.exe 2028 update.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 3032 backup.exe 3032 backup.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 2876 backup.exe 2876 backup.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 1200 backup.exe 1200 backup.exe 2044 data.exe 2044 data.exe 2044 data.exe 2044 data.exe 2044 data.exe 2096 System Restore.exe 2096 System Restore.exe 2096 System Restore.exe 1200 backup.exe 1200 backup.exe 808 backup.exe 808 backup.exe 808 backup.exe 808 backup.exe 808 backup.exe 2132 backup.exe 2132 backup.exe 2132 backup.exe 2132 backup.exe 2132 backup.exe 1324 backup.exe 1324 backup.exe 1324 backup.exe 808 backup.exe 1096 update.exe 1096 update.exe 1096 update.exe 1096 update.exe 1096 update.exe 2964 backup.exe 2964 backup.exe 2964 backup.exe 2964 backup.exe 2964 backup.exe 2216 System Restore.exe 2216 System Restore.exe 2216 System Restore.exe 2964 backup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe" 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exedescription ioc process File opened (read-only) \??\K: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\W: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\L: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\R: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\T: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\G: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\H: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\P: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\Q: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\S: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\U: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\X: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\I: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\M: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\N: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\O: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\V: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\Y: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\Z: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\E: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened (read-only) \??\J: 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe -
Drops file in System32 directory 2 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exedescription ioc process File created C:\Windows\SysWOW64\runouce.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Windows\SysWOW64\runouce.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\readme.eml 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Green Bubbles.htm 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\backup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\backup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\backup.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\backup.exe backup.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\readme.eml 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\backup.exe backup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\backup.exe File opened for modification C:\Program Files\Windows Media Player\ja-JP\backup.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe backup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\backup.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUNGLE.HTM 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe backup.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\backup.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\backup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\update.exe backup.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe backup.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\backup.exe backup.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe backup.exe File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe backup.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\backup.exe backup.exe File opened for modification C:\Program Files\Windows Photo Viewer\backup.exe backup.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\backup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe backup.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\System Restore.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\backup.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\backup.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe backup.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe backup.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\backup.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\System Restore.exe File opened for modification C:\Program Files\Windows NT\TableTextService\en-US\backup.exe -
Drops file in Windows directory 64 IoCs
Processes:
backup.exebackup.exebackup.exedata.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\ehiProxy\5cd902459c588bb0ac608d4cbc8b5e4c\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.SyncServices\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\backup.exe File opened for modification C:\Windows\Cursors\backup.exe backup.exe File opened for modification C:\Windows\ehome\MCX\X02\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\942c10614a6f8c8a22d1f74e217a11d6\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\microsoft.build.utilities.resources\2.0.0.0_es_b03f5f7f11d50a3a\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehCIR\b648e07269decc9d5a2d8aeba1d48cbb\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Security.#\d660f850b373b57c4e22a7100feeb1a4\backup.exe File opened for modification C:\Windows\security\ApplicationId\PolicyManagement\backup.exe File opened for modification C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\update.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\2ad23de8284d4594aa658dfb5e667d97\backup.exe File opened for modification C:\Windows\inf\RemoteAccess\040C\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_ja_31bf3856ad364e35\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\ehiActivScp\6.1.0.0__31bf3856ad364e35\backup.exe File opened for modification C:\Windows\Help\Windows\ja-JP\System Restore.exe File opened for modification C:\Windows\assembly\GAC_MSIL\mcstore\backup.exe File opened for modification C:\Windows\Panther\setup.exe\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\EventViewer\21464de9aa1dce17c1f42044129a986e\backup.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System\095a3392942c3d4eb888e6a32036acd8\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\3e357e76593a8cc5346dc0431f4cdaa9\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\e251e07a65ea3f2a157796a054971e60\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\7a9c26f21641112fcacd6f087b42133a\System Restore.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Applicati#\74c8f5e75ec10458436bb476c2cfd9fc\backup.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Classic\backup.exe File opened for modification C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe backup.exe File opened for modification C:\Windows\inf\ASP.NET_4.0.30319\0005\backup.exe File opened for modification C:\Windows\inf\ASP.NET_4.0.30319\0416\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.iTV\6.1.0.0__31bf3856ad364e35\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\EventViewer.Resources\6.1.0.0_en_31bf3856ad364e35\data.exe File opened for modification C:\Windows\Help\Windows\de-DE\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\backup.exe File opened for modification C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe backup.exe File opened for modification C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.iTV.Media\6.1.0.0__31bf3856ad364e35\backup.exe File opened for modification C:\Windows\inf\ASP.NET\0804\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Tas#\3cf3740de20740208d614d330aa4416c\System Restore.exe File opened for modification C:\Windows\inf\rdyboost\040C\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath\14.0.0.0__71e9bce111e9429c\backup.exe File opened for modification C:\Windows\Help\Help\it-IT\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\update.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe data.exe File opened for modification C:\Windows\inf\ESENT\0C0A\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessApplications.Runtime\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\f1f58d6720098d7c1d51faf7f326d72d\backup.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath.Xml\14.0.0.0__71e9bce111e9429c\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\backup.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.ApplicationServer.Applications\v4.0_4.0.0.0__31bf3856ad364e35\backup.exe File opened for modification C:\Windows\assembly\GAC_64\ISymWrapper\backup.exe File opened for modification C:\Windows\inf\MSDTC Bridge 4.0.0.0\0010\backup.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\backup.exe File opened for modification C:\Windows\assembly\GAC_64\naphlpr\backup.exe File opened for modification C:\Windows\Media\Delta\backup.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\1040\backup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exepid process 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedata.exeSystem Restore.exebackup.exebackup.exebackup.exeupdate.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeupdate.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exepid process 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 2028 update.exe 2644 backup.exe 2920 backup.exe 2756 backup.exe 2528 backup.exe 2500 backup.exe 3032 backup.exe 2744 backup.exe 2876 backup.exe 2476 backup.exe 792 backup.exe 1200 backup.exe 2044 data.exe 2096 System Restore.exe 808 backup.exe 2132 backup.exe 1324 backup.exe 1096 update.exe 2964 backup.exe 2216 System Restore.exe 2292 backup.exe 760 backup.exe 1440 backup.exe 2596 backup.exe 2804 data.exe 2308 backup.exe 2756 backup.exe 2816 backup.exe 2568 backup.exe 2300 backup.exe 2740 backup.exe 3032 backup.exe 2168 backup.exe 316 backup.exe 300 backup.exe 2488 update.exe 852 backup.exe 2368 backup.exe 1920 backup.exe 2320 backup.exe 988 backup.exe 1488 backup.exe 648 backup.exe 2472 backup.exe 1776 backup.exe 1828 backup.exe 2952 backup.exe 2068 backup.exe 2924 backup.exe 2340 backup.exe 1720 backup.exe 2684 backup.exe 3064 backup.exe 2296 backup.exe 2608 System Restore.exe 2664 backup.exe 2752 backup.exe 2548 backup.exe 2552 System Restore.exe 2364 backup.exe 2848 backup.exe 2696 backup.exe 1788 backup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exebackup.exebackup.exeupdate.exebackup.exedescription pid process target process PID 1936 wrote to memory of 1944 1936 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe PID 1936 wrote to memory of 1944 1936 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe PID 1936 wrote to memory of 1944 1936 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe PID 1936 wrote to memory of 1944 1936 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2028 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe update.exe PID 1944 wrote to memory of 2644 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2644 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2644 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2644 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2920 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2920 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2920 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2920 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2756 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2756 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2756 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2756 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2528 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2528 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2528 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2528 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2500 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2500 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2500 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2500 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 3032 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 3032 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 3032 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 3032 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 3032 wrote to memory of 2744 3032 backup.exe backup.exe PID 3032 wrote to memory of 2744 3032 backup.exe backup.exe PID 3032 wrote to memory of 2744 3032 backup.exe backup.exe PID 3032 wrote to memory of 2744 3032 backup.exe backup.exe PID 1944 wrote to memory of 2876 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2876 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2876 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 2876 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 2876 wrote to memory of 2476 2876 backup.exe backup.exe PID 2876 wrote to memory of 2476 2876 backup.exe backup.exe PID 2876 wrote to memory of 2476 2876 backup.exe backup.exe PID 2876 wrote to memory of 2476 2876 backup.exe backup.exe PID 1944 wrote to memory of 792 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 792 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 792 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1944 wrote to memory of 792 1944 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe backup.exe PID 1936 wrote to memory of 1204 1936 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe Explorer.EXE PID 1936 wrote to memory of 1204 1936 9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe Explorer.EXE PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 2028 wrote to memory of 1200 2028 update.exe backup.exe PID 1200 wrote to memory of 2044 1200 backup.exe data.exe PID 1200 wrote to memory of 2044 1200 backup.exe data.exe PID 1200 wrote to memory of 2044 1200 backup.exe data.exe PID 1200 wrote to memory of 2044 1200 backup.exe data.exe -
System policy modification 1 TTPs 64 IoCs
Processes:
backup.exebackup.exebackup.exebackup.exebackup.exeupdate.exeupdate.exeSystem Restore.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exeSystem Restore.exebackup.exedata.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exebackup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" update.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer System Restore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System data.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System backup.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe"C:\Users\Admin\AppData\Local\Temp\9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe"2⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe"C:\Users\Admin\AppData\Local\Temp\9758c64b1cef8ded302a7cb93b4f7f6d5b93d4b47ac224c672aa292e6151496a.exe"3⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\2713699087\update.exeC:\Users\Admin\AppData\Local\Temp\2713699087\update.exe C:\Users\Admin\AppData\Local\Temp\2713699087\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\backup.exe\backup.exe \5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\PerfLogs\data.exeC:\PerfLogs\data.exe C:\PerfLogs\6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2044 -
C:\PerfLogs\Admin\System Restore.exe"C:\PerfLogs\Admin\System Restore.exe" C:\PerfLogs\Admin\7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
-
C:\Program Files\backup.exe"C:\Program Files\backup.exe" C:\Program Files\6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:808 -
C:\Program Files\7-Zip\backup.exe"C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2132 -
C:\Program Files\7-Zip\Lang\backup.exe"C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
-
C:\Program Files\Common Files\update.exe"C:\Program Files\Common Files\update.exe" C:\Program Files\Common Files\7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1096 -
C:\Program Files\Common Files\Microsoft Shared\backup.exe"C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\Filters\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2216
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2292 -
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:760
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe"C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2168 -
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:316
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:300
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\update.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:852
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2368
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:988
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1488
-
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:648
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2952
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2924
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2684
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2752
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\10⤵
- Executes dropped EXE
PID:1632
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe"C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\10⤵PID:1756
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\10⤵PID:1436
-
-
C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\10⤵PID:2372
-
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\9⤵PID:2016
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\10⤵PID:2932
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\10⤵PID:332
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\10⤵PID:1492
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\10⤵PID:2164
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\update.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\10⤵PID:2168
-
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\10⤵PID:2468
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\9⤵PID:828
-
C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\10⤵PID:1628
-
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\9⤵PID:1252
-
-
C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\9⤵PID:1148
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\9⤵PID:1552
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\10⤵PID:1388
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\10⤵PID:1056
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\10⤵PID:2240
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\10⤵PID:2384
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\10⤵PID:3064
-
-
C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\10⤵PID:2296
-
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\9⤵PID:2536
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\10⤵PID:2388
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\10⤵PID:2432
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\10⤵PID:2372
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\10⤵PID:1732
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\10⤵PID:1824
-
-
C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe"C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\10⤵PID:1792
-
-
-
C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\9⤵PID:1968
-
-
C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VGX\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\9⤵PID:1324
-
-
C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\9⤵PID:1052
-
C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\10⤵PID:1660
-
C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe"C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\11⤵PID:2980
-
-
-
-
-
C:\Program Files\Common Files\Services\update.exe"C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\8⤵PID:1516
-
-
C:\Program Files\Common Files\SpeechEngines\backup.exe"C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\8⤵PID:1388
-
C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe"C:\Program Files\Common Files\SpeechEngines\Microsoft\System Restore.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\9⤵PID:1992
-
-
-
C:\Program Files\Common Files\System\backup.exe"C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\8⤵PID:2240
-
C:\Program Files\Common Files\System\ado\backup.exe"C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\9⤵PID:2652
-
C:\Program Files\Common Files\System\ado\de-DE\backup.exe"C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\10⤵PID:2284
-
-
C:\Program Files\Common Files\System\ado\en-US\backup.exe"C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\10⤵PID:3016
-
-
C:\Program Files\Common Files\System\ado\es-ES\backup.exe"C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\10⤵PID:2528
-
-
C:\Program Files\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\10⤵PID:2580
-
-
C:\Program Files\Common Files\System\ado\it-IT\backup.exe"C:\Program Files\Common Files\System\ado\it-IT\backup.exe" C:\Program Files\Common Files\System\ado\it-IT\10⤵PID:496
-
-
C:\Program Files\Common Files\System\ado\ja-JP\backup.exe"C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\10⤵PID:2896
-
-
-
C:\Program Files\Common Files\System\de-DE\backup.exe"C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\9⤵PID:1044
-
-
C:\Program Files\Common Files\System\en-US\backup.exe"C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\9⤵PID:1564
-
-
C:\Program Files\Common Files\System\es-ES\backup.exe"C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\9⤵
- System policy modification
PID:1180
-
-
C:\Program Files\Common Files\System\fr-FR\backup.exe"C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\9⤵PID:892
-
-
C:\Program Files\Common Files\System\it-IT\backup.exe"C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\9⤵PID:2016
-
-
C:\Program Files\Common Files\System\ja-JP\backup.exe"C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\9⤵
- System policy modification
PID:1292
-
-
C:\Program Files\Common Files\System\msadc\backup.exe"C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\9⤵PID:1148
-
C:\Program Files\Common Files\System\msadc\de-DE\backup.exe"C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\10⤵PID:2960
-
-
C:\Program Files\Common Files\System\msadc\en-US\backup.exe"C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\10⤵PID:1764
-
-
C:\Program Files\Common Files\System\msadc\es-ES\backup.exe"C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\10⤵PID:2864
-
-
C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe"C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\10⤵PID:2612
-
-
C:\Program Files\Common Files\System\msadc\it-IT\backup.exe"C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\10⤵PID:2788
-
-
C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe"C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\10⤵PID:2760
-
-
-
C:\Program Files\Common Files\System\Ole DB\backup.exe"C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\9⤵PID:2668
-
C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe"C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\10⤵PID:1960
-
-
C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe"C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\10⤵PID:2856
-
-
C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe"C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\10⤵PID:2852
-
-
C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe"C:\Program Files\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\10⤵PID:344
-
-
C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe"C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\10⤵PID:1924
-
-
C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe"C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\10⤵PID:2572
-
-
-
-
-
C:\Program Files\DVD Maker\backup.exe"C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\7⤵PID:2728
-
C:\Program Files\DVD Maker\de-DE\backup.exe"C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\8⤵PID:1400
-
-
C:\Program Files\DVD Maker\en-US\backup.exe"C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\8⤵PID:1684
-
-
C:\Program Files\DVD Maker\es-ES\backup.exe"C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\8⤵PID:2928
-
-
C:\Program Files\DVD Maker\fr-FR\backup.exe"C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\8⤵PID:1564
-
-
C:\Program Files\DVD Maker\it-IT\System Restore.exe"C:\Program Files\DVD Maker\it-IT\System Restore.exe" C:\Program Files\DVD Maker\it-IT\8⤵
- Modifies visibility of file extensions in Explorer
- System policy modification
PID:988
-
-
C:\Program Files\DVD Maker\ja-JP\backup.exe"C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\8⤵PID:296
-
-
C:\Program Files\DVD Maker\Shared\backup.exe"C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\8⤵PID:2168
-
C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\9⤵
- Drops file in Program Files directory
PID:1348 -
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\10⤵PID:1680
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\10⤵PID:692
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\10⤵PID:1796
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\10⤵PID:1556
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\10⤵PID:2144
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\10⤵
- System policy modification
PID:1764
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\10⤵PID:2780
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\10⤵
- System policy modification
PID:2644
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\10⤵PID:2812
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\10⤵PID:2916
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Push\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\10⤵PID:2880
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\10⤵
- Disables RegEdit via registry modification
PID:2624
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\10⤵PID:3008
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\10⤵PID:1196
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\10⤵PID:1308
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\10⤵PID:1800
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\10⤵PID:496
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\10⤵PID:1924
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\10⤵PID:2676
-
-
C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe"C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\10⤵PID:1364
-
-
-
-
-
C:\Program Files\Google\backup.exe"C:\Program Files\Google\backup.exe" C:\Program Files\Google\7⤵PID:1980
-
C:\Program Files\Google\Chrome\backup.exe"C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\8⤵PID:1920
-
C:\Program Files\Google\Chrome\Application\backup.exe"C:\Program Files\Google\Chrome\Application\backup.exe" C:\Program Files\Google\Chrome\Application\9⤵PID:1040
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\10⤵PID:2484
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\11⤵PID:1716
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\11⤵PID:2336
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\11⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\11⤵PID:1544
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\11⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\11⤵PID:1304
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\11⤵
- Disables RegEdit via registry modification
PID:2420 -
C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\12⤵PID:1556
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\13⤵PID:2088
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe"C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\10⤵PID:1512
-
-
-
-
-
C:\Program Files\Internet Explorer\backup.exe"C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\7⤵PID:1624
-
C:\Program Files\Internet Explorer\de-DE\backup.exe"C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\8⤵PID:1616
-
-
C:\Program Files\Internet Explorer\en-US\backup.exe"C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\8⤵PID:1992
-
-
C:\Program Files\Internet Explorer\es-ES\backup.exe"C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\8⤵PID:2628
-
-
C:\Program Files\Internet Explorer\fr-FR\backup.exe"C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\8⤵PID:2820
-
-
C:\Program Files\Internet Explorer\images\backup.exe"C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\8⤵
- Disables RegEdit via registry modification
PID:2284
-
-
C:\Program Files\Internet Explorer\it-IT\backup.exe"C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\8⤵
- System policy modification
PID:2228
-
-
C:\Program Files\Internet Explorer\ja-JP\backup.exe"C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\8⤵PID:1944
-
-
C:\Program Files\Internet Explorer\SIGNUP\data.exe"C:\Program Files\Internet Explorer\SIGNUP\data.exe" C:\Program Files\Internet Explorer\SIGNUP\8⤵PID:2624
-
-
-
C:\Program Files\Java\backup.exe"C:\Program Files\Java\backup.exe" C:\Program Files\Java\7⤵PID:2192
-
C:\Program Files\Java\jdk1.7.0_80\backup.exe"C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\8⤵
- Drops file in Program Files directory
PID:1960 -
C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe"C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\9⤵PID:1608
-
-
C:\Program Files\Java\jdk1.7.0_80\db\backup.exe"C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\9⤵PID:2868
-
C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe"C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\10⤵PID:1708
-
-
C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe"C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\10⤵PID:2180
-
-
-
C:\Program Files\Java\jdk1.7.0_80\include\backup.exe"C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\9⤵PID:3004
-
C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe"C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\10⤵PID:2432
-
C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe"C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\11⤵PID:2372
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\9⤵PID:484
-
C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\10⤵PID:1492
-
C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\11⤵PID:1168
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\11⤵PID:660
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\data.exe"C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\11⤵PID:828
-
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\10⤵PID:1948
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\11⤵PID:2904
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\11⤵PID:2068
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\11⤵PID:2172
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\11⤵PID:2948
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\11⤵PID:1612
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\11⤵PID:2320
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\update.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\11⤵PID:3048
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\12⤵PID:2416
-
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\update.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\update.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\11⤵PID:2776
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\11⤵PID:2644
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\11⤵PID:2308
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\11⤵
- Drops file in Program Files directory
PID:1148 -
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\12⤵PID:2284
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\12⤵
- Drops file in Program Files directory
PID:2228 -
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\13⤵PID:2224
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\data.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\13⤵
- Disables RegEdit via registry modification
PID:2564
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\13⤵PID:2592
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\13⤵PID:2688
-
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\12⤵PID:2884
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\12⤵PID:2876
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\12⤵PID:344
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\12⤵PID:496
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\12⤵PID:2376
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\12⤵PID:2220
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\12⤵PID:1316
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\12⤵PID:1044
-
-
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe"C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\12⤵PID:2444
-
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\9⤵PID:1916
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\10⤵PID:2432
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\11⤵PID:772
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\12⤵PID:584
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\12⤵
- Disables RegEdit via registry modification
PID:2396
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\11⤵PID:1156
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\11⤵
- Modifies visibility of file extensions in Explorer
PID:2356 -
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\12⤵PID:1376
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\12⤵PID:1680
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\12⤵PID:2956
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\12⤵PID:2132
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\12⤵
- Modifies visibility of file extensions in Explorer
PID:1600
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\System Restore.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\12⤵PID:688
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\data.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\12⤵
- Modifies visibility of file extensions in Explorer
PID:2216
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\12⤵PID:2980
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\update.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\12⤵
- System policy modification
PID:2088
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\12⤵PID:3036
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\data.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\13⤵PID:1556
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\data.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\12⤵PID:2616
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\13⤵PID:1736
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\12⤵
- Drops file in Program Files directory
PID:2724 -
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\13⤵PID:2384
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\12⤵PID:2768
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\13⤵PID:2648
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\12⤵PID:2804
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\13⤵PID:2008
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\12⤵PID:2524
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\13⤵
- Modifies visibility of file extensions in Explorer
PID:1596
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\12⤵PID:2640
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\System Restore.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\13⤵PID:352
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\12⤵PID:3012
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\13⤵PID:2364
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\data.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\12⤵PID:2592
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\13⤵PID:2756
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\12⤵PID:2972
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\13⤵PID:1236
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\12⤵PID:2652
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\13⤵PID:792
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\12⤵PID:632
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\data.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\13⤵PID:2220
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\12⤵PID:2488
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\13⤵PID:2428
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\11⤵PID:2276
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\12⤵PID:668
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\13⤵PID:2444
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\14⤵PID:332
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\12⤵
- Disables RegEdit via registry modification
PID:1028 -
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\13⤵PID:2380
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\14⤵PID:1780
-
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\update.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\11⤵PID:1160
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\12⤵PID:2036
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\13⤵PID:2480
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\14⤵PID:2152
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\15⤵PID:1592
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\15⤵PID:2864
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\15⤵PID:2052
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\13⤵PID:2820
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\13⤵PID:2556
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\12⤵PID:1596
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\13⤵PID:2564
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\13⤵PID:2996
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\update.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\13⤵PID:2592
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\13⤵
- Modifies visibility of file extensions in Explorer
PID:2064
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\12⤵PID:1084
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\13⤵PID:1264
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\12⤵PID:2164
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\13⤵PID:1628
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\14⤵PID:3060
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\13⤵PID:2128
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\13⤵
- System policy modification
PID:2216
-
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\10⤵PID:2212
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\System Restore.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\11⤵PID:1764
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\11⤵PID:2384
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\12⤵PID:568
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\13⤵PID:3016
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\13⤵PID:2424
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\12⤵PID:2300
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\13⤵PID:1248
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\12⤵PID:1756
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\13⤵PID:2180
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\12⤵PID:1448
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\13⤵PID:1528
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\14⤵PID:284
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\13⤵PID:584
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\12⤵PID:296
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\11⤵PID:1548
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\12⤵PID:692
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\13⤵PID:1956
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\12⤵PID:1776
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\13⤵PID:1324
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\14⤵PID:2164
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\15⤵PID:1616
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\14⤵PID:2160
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\15⤵PID:2152
-
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\13⤵PID:2424
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\12⤵PID:2856
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\13⤵PID:1876
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\12⤵PID:2972
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\11⤵PID:496
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\12⤵PID:2600
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\13⤵PID:1536
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\12⤵PID:1268
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\13⤵PID:592
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\12⤵PID:284
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\13⤵PID:1448
-
-
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe"C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\12⤵PID:1124
-
-
-
-
-
-
C:\Program Files\Java\jre7\backup.exe"C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\8⤵PID:2276
-
C:\Program Files\Java\jre7\bin\backup.exe"C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\9⤵PID:2964
-
C:\Program Files\Java\jre7\bin\dtplugin\backup.exe"C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\10⤵PID:760
-
-
C:\Program Files\Java\jre7\bin\plugin2\backup.exe"C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\10⤵PID:2960
-
-
C:\Program Files\Java\jre7\bin\server\backup.exe"C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\10⤵PID:2900
-
-
-
C:\Program Files\Java\jre7\lib\backup.exe"C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\9⤵PID:1980
-
C:\Program Files\Java\jre7\lib\amd64\backup.exe"C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\10⤵PID:2088
-
-
C:\Program Files\Java\jre7\lib\applet\backup.exe"C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\10⤵PID:3016
-
-
C:\Program Files\Java\jre7\lib\cmm\backup.exe"C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\10⤵PID:2516
-
-
C:\Program Files\Java\jre7\lib\deploy\backup.exe"C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\10⤵PID:2744
-
-
C:\Program Files\Java\jre7\lib\ext\backup.exe"C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\10⤵PID:2716
-
-
C:\Program Files\Java\jre7\lib\fonts\backup.exe"C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\10⤵PID:2884
-
-
C:\Program Files\Java\jre7\lib\images\backup.exe"C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\10⤵PID:2388
-
C:\Program Files\Java\jre7\lib\images\cursors\backup.exe"C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\11⤵PID:2872
-
-
-
C:\Program Files\Java\jre7\lib\jfr\backup.exe"C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\10⤵PID:1044
-
-
C:\Program Files\Java\jre7\lib\management\backup.exe"C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\10⤵PID:2888
-
-
C:\Program Files\Java\jre7\lib\security\System Restore.exe"C:\Program Files\Java\jre7\lib\security\System Restore.exe" C:\Program Files\Java\jre7\lib\security\10⤵PID:592
-
-
C:\Program Files\Java\jre7\lib\zi\backup.exe"C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\10⤵
- Drops file in Program Files directory
PID:1500 -
C:\Program Files\Java\jre7\lib\zi\Africa\update.exe"C:\Program Files\Java\jre7\lib\zi\Africa\update.exe" C:\Program Files\Java\jre7\lib\zi\Africa\11⤵PID:1084
-
-
C:\Program Files\Java\jre7\lib\zi\America\backup.exe"C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\11⤵PID:2220
-
C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe"C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\12⤵PID:1964
-
-
C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe"C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\12⤵PID:1328
-
-
C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe"C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\12⤵PID:2640
-
-
C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe"C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\12⤵
- System policy modification
PID:1724
-
-
-
C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe"C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\11⤵PID:3068
-
-
C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe"C:\Program Files\Java\jre7\lib\zi\Asia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Asia\11⤵PID:1040
-
-
C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe"C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jre7\lib\zi\Atlantic\11⤵PID:2776
-
-
C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe"C:\Program Files\Java\jre7\lib\zi\Australia\backup.exe" C:\Program Files\Java\jre7\lib\zi\Australia\11⤵PID:2664
-
-
C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe"C:\Program Files\Java\jre7\lib\zi\Etc\backup.exe" C:\Program Files\Java\jre7\lib\zi\Etc\11⤵PID:2088
-
-
C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe"C:\Program Files\Java\jre7\lib\zi\Europe\backup.exe" C:\Program Files\Java\jre7\lib\zi\Europe\11⤵PID:1624
-
-
C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe"C:\Program Files\Java\jre7\lib\zi\Indian\backup.exe" C:\Program Files\Java\jre7\lib\zi\Indian\11⤵
- System policy modification
PID:2424
-
-
C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe"C:\Program Files\Java\jre7\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jre7\lib\zi\Pacific\11⤵PID:2696
-
-
C:\Program Files\Java\jre7\lib\zi\SystemV\update.exe"C:\Program Files\Java\jre7\lib\zi\SystemV\update.exe" C:\Program Files\Java\jre7\lib\zi\SystemV\11⤵PID:2716
-
-
-
-
-
-
C:\Program Files\Microsoft Games\backup.exe"C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\7⤵
- Drops file in Program Files directory
PID:300 -
C:\Program Files\Microsoft Games\Chess\backup.exe"C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\8⤵
- Drops file in Program Files directory
PID:3004 -
C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe"C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\9⤵PID:2376
-
-
C:\Program Files\Microsoft Games\Chess\en-US\backup.exe"C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\9⤵PID:984
-
-
C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe"C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\9⤵PID:1732
-
-
C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\9⤵PID:2560
-
-
C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe"C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\9⤵PID:2360
-
-
C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\9⤵PID:3020
-
-
-
C:\Program Files\Microsoft Games\FreeCell\backup.exe"C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\8⤵PID:2252
-
C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe"C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\9⤵PID:296
-
-
C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe"C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\9⤵PID:2948
-
-
C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe"C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\9⤵PID:1160
-
-
C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe"C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\9⤵PID:1620
-
-
C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe"C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\9⤵PID:2340
-
-
C:\Program Files\Microsoft Games\FreeCell\ja-JP\System Restore.exe"C:\Program Files\Microsoft Games\FreeCell\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\9⤵PID:2900
-
-
-
C:\Program Files\Microsoft Games\Hearts\backup.exe"C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\8⤵PID:2804
-
C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe"C:\Program Files\Microsoft Games\Hearts\de-DE\backup.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\9⤵
- System policy modification
PID:2752
-
-
C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe"C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\9⤵PID:352
-
-
C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe"C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\9⤵PID:2688
-
-
C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\9⤵PID:1640
-
-
C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe"C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\9⤵PID:2300
-
-
C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\9⤵PID:828
-
-
-
C:\Program Files\Microsoft Games\Mahjong\backup.exe"C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\8⤵
- Modifies visibility of file extensions in Explorer
PID:2668 -
C:\Program Files\Microsoft Games\Mahjong\de-DE\System Restore.exe"C:\Program Files\Microsoft Games\Mahjong\de-DE\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\9⤵PID:1108
-
-
C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe"C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\9⤵PID:2108
-
-
C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe"C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\9⤵PID:2444
-
-
C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\9⤵PID:956
-
-
C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe"C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\9⤵PID:2168
-
-
C:\Program Files\Microsoft Games\Mahjong\ja-JP\System Restore.exe"C:\Program Files\Microsoft Games\Mahjong\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\9⤵PID:2380
-
-
-
C:\Program Files\Microsoft Games\Minesweeper\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\8⤵PID:2840
-
C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\9⤵PID:2968
-
-
C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\9⤵PID:2076
-
-
C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\9⤵PID:1160
-
-
C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\9⤵PID:2632
-
-
C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\9⤵PID:2596
-
-
C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\9⤵PID:2340
-
-
-
C:\Program Files\Microsoft Games\More Games\backup.exe"C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\8⤵PID:2920
-
C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe"C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\9⤵PID:2992
-
-
C:\Program Files\Microsoft Games\More Games\en-US\backup.exe"C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\9⤵PID:1324
-
-
C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe"C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\9⤵
- System policy modification
PID:1624
-
-
C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe"C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\9⤵PID:2996
-
-
C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe"C:\Program Files\Microsoft Games\More Games\it-IT\backup.exe" C:\Program Files\Microsoft Games\More Games\it-IT\9⤵PID:2836
-
-
C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe"C:\Program Files\Microsoft Games\More Games\ja-JP\backup.exe" C:\Program Files\Microsoft Games\More Games\ja-JP\9⤵
- System policy modification
PID:2868
-
-
-
C:\Program Files\Microsoft Games\Multiplayer\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\8⤵
- Drops file in Program Files directory
PID:1788 -
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\9⤵PID:1236
-
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\10⤵PID:1716
-
-
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\10⤵PID:2176
-
-
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\10⤵PID:584
-
-
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\10⤵PID:2336
-
-
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\10⤵PID:1796
-
-
C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\10⤵PID:752
-
-
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\9⤵PID:1328
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\10⤵PID:1920
-
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\10⤵PID:1720
-
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\10⤵PID:2584
-
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\10⤵PID:856
-
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\10⤵PID:2252
-
-
C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\10⤵PID:2580
-
-
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\9⤵PID:2544
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\10⤵PID:2228
-
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\10⤵PID:2800
-
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\10⤵PID:2424
-
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\10⤵PID:2896
-
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\10⤵PID:1156
-
-
C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\10⤵PID:584
-
-
-
-
C:\Program Files\Microsoft Games\Purble Place\backup.exe"C:\Program Files\Microsoft Games\Purble Place\backup.exe" C:\Program Files\Microsoft Games\Purble Place\8⤵PID:548
-
C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe"C:\Program Files\Microsoft Games\Purble Place\de-DE\backup.exe" C:\Program Files\Microsoft Games\Purble Place\de-DE\9⤵PID:1780
-
-
C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe"C:\Program Files\Microsoft Games\Purble Place\en-US\backup.exe" C:\Program Files\Microsoft Games\Purble Place\en-US\9⤵PID:2668
-
-
C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe"C:\Program Files\Microsoft Games\Purble Place\es-ES\backup.exe" C:\Program Files\Microsoft Games\Purble Place\es-ES\9⤵PID:2528
-
-
C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe"C:\Program Files\Microsoft Games\Purble Place\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Purble Place\fr-FR\9⤵PID:2432
-
-
C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe"C:\Program Files\Microsoft Games\Purble Place\it-IT\backup.exe" C:\Program Files\Microsoft Games\Purble Place\it-IT\9⤵PID:1440
-
-
C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Purble Place\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Purble Place\ja-JP\9⤵PID:2900
-
-
-
C:\Program Files\Microsoft Games\Solitaire\backup.exe"C:\Program Files\Microsoft Games\Solitaire\backup.exe" C:\Program Files\Microsoft Games\Solitaire\8⤵
- Drops file in Program Files directory
PID:2548 -
C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe"C:\Program Files\Microsoft Games\Solitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\Solitaire\de-DE\9⤵PID:2552
-
-
C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe"C:\Program Files\Microsoft Games\Solitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\Solitaire\en-US\9⤵PID:1924
-
-
C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe"C:\Program Files\Microsoft Games\Solitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\Solitaire\es-ES\9⤵PID:2468
-
-
C:\Program Files\Microsoft Games\Solitaire\fr-FR\System Restore.exe"C:\Program Files\Microsoft Games\Solitaire\fr-FR\System Restore.exe" C:\Program Files\Microsoft Games\Solitaire\fr-FR\9⤵PID:2916
-
-
C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe"C:\Program Files\Microsoft Games\Solitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\Solitaire\it-IT\9⤵PID:1268
-
-
C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe"C:\Program Files\Microsoft Games\Solitaire\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Solitaire\ja-JP\9⤵PID:1716
-
-
-
C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\8⤵
- System policy modification
PID:1528 -
C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\9⤵PID:2560
-
-
C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\9⤵
- System policy modification
PID:1828
-
-
C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\9⤵PID:292
-
-
C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\9⤵PID:2032
-
-
C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\backup.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\9⤵PID:2524
-
-
C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\System Restore.exe"C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\9⤵PID:2364
-
-
-
-
C:\Program Files\Microsoft Office\backup.exe"C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\7⤵PID:792
-
C:\Program Files\Microsoft Office\Office14\backup.exe"C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\8⤵PID:2228
-
C:\Program Files\Microsoft Office\Office14\1033\backup.exe"C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\9⤵PID:2180
-
-
-
-
C:\Program Files\Mozilla Firefox\update.exe"C:\Program Files\Mozilla Firefox\update.exe" C:\Program Files\Mozilla Firefox\7⤵PID:2356
-
C:\Program Files\Mozilla Firefox\browser\backup.exe"C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\8⤵PID:2384
-
C:\Program Files\Mozilla Firefox\browser\features\backup.exe"C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\9⤵PID:2236
-
-
C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe"C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\9⤵PID:2320
-
-
-
C:\Program Files\Mozilla Firefox\defaults\backup.exe"C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\8⤵PID:2252
-
C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe"C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\9⤵PID:2792
-
-
-
C:\Program Files\Mozilla Firefox\fonts\backup.exe"C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\8⤵
- Disables RegEdit via registry modification
PID:1500
-
-
C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe"C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\8⤵PID:2944
-
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe"C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\9⤵PID:1132
-
-
-
C:\Program Files\Mozilla Firefox\uninstall\data.exe"C:\Program Files\Mozilla Firefox\uninstall\data.exe" C:\Program Files\Mozilla Firefox\uninstall\8⤵PID:2336
-
-
-
C:\Program Files\MSBuild\backup.exe"C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\7⤵PID:1484
-
C:\Program Files\MSBuild\Microsoft\backup.exe"C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\8⤵PID:2272
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\9⤵PID:1388
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\10⤵PID:2964
-
-
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe"C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\10⤵
- System policy modification
PID:1808
-
-
-
-
-
C:\Program Files\Reference Assemblies\backup.exe"C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\7⤵PID:1800
-
C:\Program Files\Reference Assemblies\Microsoft\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\8⤵PID:2688
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\System Restore.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\System Restore.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\9⤵PID:1180
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\10⤵
- Drops file in Program Files directory
PID:2680 -
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\11⤵PID:1516
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\11⤵PID:1052
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\11⤵PID:2636
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\11⤵PID:828
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\11⤵PID:2792
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\11⤵PID:2920
-
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\10⤵PID:1864
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\11⤵PID:1792
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\11⤵PID:1512
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\11⤵PID:2684
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\11⤵PID:2832
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\11⤵PID:2856
-
-
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe"C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\11⤵PID:1656
-
-
-
-
-
-
C:\Program Files\VideoLAN\backup.exe"C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\7⤵PID:2444
-
C:\Program Files\VideoLAN\VLC\backup.exe"C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\8⤵PID:3060
-
C:\Program Files\VideoLAN\VLC\hrtfs\System Restore.exe"C:\Program Files\VideoLAN\VLC\hrtfs\System Restore.exe" C:\Program Files\VideoLAN\VLC\hrtfs\9⤵PID:1544
-
-
C:\Program Files\VideoLAN\VLC\locale\backup.exe"C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\9⤵
- Drops file in Program Files directory
PID:2784 -
C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\10⤵PID:2768
-
C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\11⤵PID:2384
-
-
-
C:\Program Files\VideoLAN\VLC\locale\af\System Restore.exe"C:\Program Files\VideoLAN\VLC\locale\af\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\af\10⤵
- System policy modification
PID:1388 -
C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\11⤵PID:1532
-
-
-
C:\Program Files\VideoLAN\VLC\locale\am\backup.exe"C:\Program Files\VideoLAN\VLC\locale\am\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\10⤵
- System policy modification
PID:872 -
C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\11⤵PID:2176
-
-
-
C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe"C:\Program Files\VideoLAN\VLC\locale\am_ET\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\10⤵PID:1308
-
C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\11⤵PID:752
-
-
-
C:\Program Files\VideoLAN\VLC\locale\an\backup.exe"C:\Program Files\VideoLAN\VLC\locale\an\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\10⤵PID:2112
-
C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\11⤵PID:496
-
-
-
C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ar\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ar\10⤵PID:836
-
C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\update.exe"C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\11⤵PID:3012
-
-
-
C:\Program Files\VideoLAN\VLC\locale\as_IN\data.exe"C:\Program Files\VideoLAN\VLC\locale\as_IN\data.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\10⤵PID:2220
-
C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\11⤵PID:2292
-
-
-
C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ast\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\10⤵PID:2320
-
C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\11⤵PID:1248
-
-
-
C:\Program Files\VideoLAN\VLC\locale\be\backup.exe"C:\Program Files\VideoLAN\VLC\locale\be\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\10⤵PID:2396
-
C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\11⤵PID:3008
-
-
-
C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\10⤵PID:1984
-
C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\11⤵PID:1284
-
-
-
C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bn\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\10⤵PID:2516
-
C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\11⤵PID:608
-
-
-
C:\Program Files\VideoLAN\VLC\locale\bn_IN\System Restore.exe"C:\Program Files\VideoLAN\VLC\locale\bn_IN\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\10⤵PID:2932
-
C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\11⤵
- Modifies visibility of file extensions in Explorer
PID:584
-
-
-
C:\Program Files\VideoLAN\VLC\locale\br\backup.exe"C:\Program Files\VideoLAN\VLC\locale\br\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\10⤵PID:1084
-
C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\11⤵PID:3036
-
-
-
C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe"C:\Program Files\VideoLAN\VLC\locale\brx\backup.exe" C:\Program Files\VideoLAN\VLC\locale\brx\10⤵PID:2952
-
C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\update.exe"C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\update.exe" C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\11⤵PID:2816
-
-
-
C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bs\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\10⤵PID:2780
-
C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\11⤵PID:2660
-
-
-
C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ca\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\10⤵PID:1528
-
C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\11⤵PID:2552
-
-
-
C:\Program Files\VideoLAN\VLC\locale\ca@valencia\System Restore.exe"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\10⤵PID:2196
-
C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\11⤵PID:2176
-
-
-
C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe"C:\Program Files\VideoLAN\VLC\locale\cgg\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\10⤵PID:1816
-
C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\11⤵PID:2856
-
-
-
C:\Program Files\VideoLAN\VLC\locale\co\backup.exe"C:\Program Files\VideoLAN\VLC\locale\co\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\10⤵PID:2872
-
C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\11⤵PID:584
-
-
-
C:\Program Files\VideoLAN\VLC\locale\cs\update.exe"C:\Program Files\VideoLAN\VLC\locale\cs\update.exe" C:\Program Files\VideoLAN\VLC\locale\cs\10⤵PID:836
-
C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\11⤵PID:900
-
-
-
C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe"C:\Program Files\VideoLAN\VLC\locale\cy\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\10⤵PID:2292
-
C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\11⤵PID:2952
-
-
-
C:\Program Files\VideoLAN\VLC\locale\da\backup.exe"C:\Program Files\VideoLAN\VLC\locale\da\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\10⤵PID:2340
-
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\11⤵PID:2820
-
-
-
C:\Program Files\VideoLAN\VLC\locale\de\backup.exe"C:\Program Files\VideoLAN\VLC\locale\de\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\10⤵PID:2940
-
C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\11⤵PID:1724
-
-
-
C:\Program Files\VideoLAN\VLC\locale\el\backup.exe"C:\Program Files\VideoLAN\VLC\locale\el\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\10⤵PID:1184
-
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\11⤵PID:2736
-
-
-
C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe"C:\Program Files\VideoLAN\VLC\locale\en_GB\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\10⤵PID:2920
-
C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\11⤵PID:1816
-
-
-
C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe"C:\Program Files\VideoLAN\VLC\locale\eo\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eo\10⤵PID:2712
-
C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\11⤵PID:2448
-
-
-
C:\Program Files\VideoLAN\VLC\locale\es\backup.exe"C:\Program Files\VideoLAN\VLC\locale\es\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\10⤵PID:2508
-
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\11⤵PID:2528
-
-
-
C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe"C:\Program Files\VideoLAN\VLC\locale\es_MX\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\10⤵PID:2864
-
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\11⤵PID:2896
-
-
-
C:\Program Files\VideoLAN\VLC\locale\et\backup.exe"C:\Program Files\VideoLAN\VLC\locale\et\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\10⤵PID:2928
-
C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\11⤵PID:2852
-
-
-
C:\Program Files\VideoLAN\VLC\locale\eu\System Restore.exe"C:\Program Files\VideoLAN\VLC\locale\eu\System Restore.exe" C:\Program Files\VideoLAN\VLC\locale\eu\10⤵PID:1556
-
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\11⤵PID:2760
-
-
-
C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe"C:\Program Files\VideoLAN\VLC\locale\fa\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\10⤵PID:1672
-
C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\11⤵PID:2580
-
-
-
C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ff\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\10⤵PID:496
-
C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\11⤵PID:2788
-
-
-
C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe"C:\Program Files\VideoLAN\VLC\locale\fi\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\10⤵PID:2944
-
C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe"C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\backup.exe" C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\11⤵PID:2872
-
-
-
-
-
-
-
C:\Program Files (x86)\update.exe"C:\Program Files (x86)\update.exe" C:\Program Files (x86)\6⤵PID:988
-
C:\Program Files (x86)\Adobe\backup.exe"C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\7⤵PID:2396
-
C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\8⤵PID:2536
-
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\9⤵PID:1548
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\9⤵PID:2956
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\10⤵PID:2252
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\10⤵PID:2952
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\10⤵PID:1516
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\10⤵PID:1980
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\11⤵PID:1736
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\10⤵PID:2660
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\10⤵PID:1552
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\11⤵PID:2544
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\10⤵PID:2576
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\10⤵
- Drops file in Program Files directory
PID:2528 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\11⤵PID:2732
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\12⤵PID:1644
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\11⤵PID:2220
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\12⤵PID:1504
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\13⤵PID:876
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\11⤵PID:1376
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\12⤵PID:2540
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\11⤵
- Disables RegEdit via registry modification
PID:1680 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\12⤵PID:1932
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\10⤵PID:888
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\11⤵
- Disables RegEdit via registry modification
PID:1040
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\10⤵PID:2632
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\10⤵PID:1992
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\9⤵PID:2508
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\10⤵
- Disables RegEdit via registry modification
PID:2764 -
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\11⤵PID:2532
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\10⤵PID:2716
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\10⤵PID:2892
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\11⤵PID:1668
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\11⤵PID:1816
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\12⤵PID:2932
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\13⤵PID:2244
-
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\10⤵PID:2944
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\10⤵PID:1860
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\11⤵PID:2704
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\12⤵PID:2236
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\12⤵PID:2908
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\13⤵PID:1700
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\13⤵PID:2128
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\13⤵
- System policy modification
PID:1512
-
-
-
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\9⤵PID:2144
-
C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\10⤵PID:1056
-
-
-
-
-
C:\Program Files (x86)\Common Files\backup.exe"C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\7⤵PID:2296
-
C:\Program Files (x86)\Common Files\Adobe\backup.exe"C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\8⤵PID:2724
-
C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\9⤵PID:2708
-
-
C:\Program Files (x86)\Common Files\Adobe\Help\data.exe"C:\Program Files (x86)\Common Files\Adobe\Help\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\9⤵PID:2824
-
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\10⤵PID:2608
-
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\11⤵PID:1560
-
C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\12⤵PID:1668
-
-
-
-
-
C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe"C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\9⤵PID:2736
-
-
-
C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\8⤵PID:2560
-
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\9⤵PID:2928
-
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe"C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\10⤵PID:2060
-
-
-
-
C:\Program Files (x86)\Common Files\DESIGNER\backup.exe"C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\8⤵PID:2012
-
-
C:\Program Files (x86)\Common Files\microsoft shared\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\8⤵PID:2092
-
C:\Program Files (x86)\Common Files\microsoft shared\DAO\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\DAO\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\9⤵PID:2016
-
-
C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\9⤵PID:1252
-
-
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\9⤵PID:2172
-
C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\10⤵PID:2216
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\9⤵PID:1040
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\9⤵PID:2820
-
-
C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\9⤵PID:2912
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\9⤵PID:2184
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\10⤵PID:2512
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\10⤵PID:2160
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\10⤵PID:2564
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\10⤵PID:1628
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\10⤵
- Modifies visibility of file extensions in Explorer
PID:2972
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\10⤵PID:1668
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\10⤵PID:2676
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\10⤵PID:2732
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\10⤵PID:2356
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\10⤵PID:444
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\10⤵PID:1080
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\9⤵PID:764
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\10⤵PID:752
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\10⤵PID:496
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\10⤵PID:3060
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\10⤵PID:1688
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\10⤵PID:1168
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\10⤵PID:672
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\10⤵PID:1404
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\10⤵PID:2292
-
-
C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\10⤵PID:3064
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\9⤵PID:2040
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\9⤵PID:2224
-
C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\10⤵PID:2800
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\9⤵PID:2876
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\10⤵PID:1784
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\10⤵PID:1236
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\10⤵PID:2824
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\data.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\10⤵PID:2592
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\10⤵PID:1148
-
-
C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\10⤵PID:2888
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\9⤵PID:2012
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\10⤵PID:348
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\10⤵PID:2672
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\10⤵
- Drops file in Program Files directory
PID:1532 -
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\11⤵PID:2968
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\11⤵PID:972
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\11⤵PID:1612
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\11⤵PID:1724
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\11⤵PID:1388
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\11⤵PID:2820
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\11⤵PID:2008
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\11⤵PID:376
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\11⤵
- System policy modification
PID:2500
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\11⤵PID:2720
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\11⤵PID:2756
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\data.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\11⤵PID:1776
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\11⤵PID:2192
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\11⤵PID:2652
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\11⤵PID:852
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\11⤵PID:2044
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\11⤵PID:444
-
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\9⤵PID:1616
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\9⤵
- Modifies visibility of file extensions in Explorer
PID:272 -
C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\10⤵PID:796
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\9⤵PID:292
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\9⤵PID:856
-
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\10⤵PID:760
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\data.exe"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\10⤵PID:888
-
C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\11⤵PID:2432
-
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\9⤵PID:1040
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\9⤵PID:2164
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\9⤵
- Drops file in Program Files directory
PID:568 -
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\10⤵PID:2740
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\10⤵PID:2516
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\10⤵PID:2424
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\10⤵PID:344
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\10⤵PID:1320
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\10⤵PID:2192
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\10⤵PID:2604
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\9⤵
- Disables RegEdit via registry modification
- Drops file in Program Files directory
PID:2064 -
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\10⤵PID:1108
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\10⤵PID:2044
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\10⤵PID:1504
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\10⤵PID:348
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\10⤵PID:1916
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\10⤵PID:1968
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\10⤵PID:1048
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\10⤵PID:2616
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\10⤵PID:2960
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\10⤵PID:3048
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\10⤵PID:1028
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\10⤵PID:2036
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\10⤵PID:3016
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\10⤵PID:376
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\10⤵PID:2196
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\10⤵PID:2756
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\10⤵PID:2712
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\10⤵PID:2868
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\10⤵
- Modifies visibility of file extensions in Explorer
PID:2888
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\10⤵PID:1256
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\10⤵PID:2236
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\10⤵PID:328
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\data.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\10⤵PID:2212
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\10⤵PID:2904
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\10⤵PID:1720
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\10⤵PID:2632
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\10⤵PID:2556
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\10⤵PID:2252
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\10⤵PID:2228
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\10⤵PID:2804
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\10⤵PID:2884
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\10⤵PID:880
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\10⤵PID:332
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\10⤵PID:2876
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\10⤵PID:1872
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\10⤵PID:2072
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\10⤵PID:2236
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\10⤵PID:2448
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\10⤵PID:1160
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\10⤵PID:1992
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\10⤵PID:2664
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\10⤵PID:2848
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\10⤵PID:3032
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\10⤵PID:2688
-
-
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\10⤵PID:2244
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\9⤵
- Drops file in Program Files directory
PID:1364 -
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\10⤵PID:1616
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\10⤵PID:3036
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\10⤵PID:292
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\10⤵PID:376
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\10⤵PID:1292
-
-
C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\10⤵PID:2392
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\9⤵
- Drops file in Program Files directory
- System policy modification
PID:2064 -
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\10⤵PID:1732
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\en-US\10⤵PID:1860
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\10⤵PID:2904
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\10⤵PID:2008
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\10⤵PID:1708
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\10⤵PID:2836
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VBA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\9⤵PID:1488
-
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\10⤵PID:444
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\10⤵PID:1916
-
C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\11⤵PID:2692
-
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VC\9⤵PID:2640
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VGX\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VGX\9⤵PID:2840
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\9⤵PID:2516
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\10⤵PID:1992
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\11⤵PID:2804
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\10⤵PID:2748
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\System Restore.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\11⤵PID:760
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\10⤵PID:1048
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\11⤵PID:2284
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\11⤵PID:2552
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\11⤵PID:2524
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\11⤵PID:2392
-
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\9⤵PID:1264
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\10⤵PID:1960
-
C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\11⤵PID:1780
-
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\update.exe"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\9⤵PID:1732
-
C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\10⤵PID:2068
-
-
-
C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\9⤵PID:2032
-
C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\10⤵
- Modifies visibility of file extensions in Explorer
PID:2532 -
C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\11⤵PID:2756
-
C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe"C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\12⤵PID:1724
-
-
-
-
-
-
C:\Program Files (x86)\Common Files\Services\backup.exe"C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\8⤵PID:2428
-
-
C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe"C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\8⤵PID:2444
-
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe"C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\9⤵PID:3020
-
-
-
C:\Program Files (x86)\Common Files\System\backup.exe"C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\8⤵PID:2380
-
C:\Program Files (x86)\Common Files\System\ado\backup.exe"C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\9⤵PID:1648
-
C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe"C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\10⤵PID:2772
-
-
C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe"C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\10⤵PID:2852
-
-
C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe"C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\10⤵PID:1776
-
-
C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe"C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\10⤵PID:1284
-
-
C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe"C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\10⤵PID:2428
-
-
C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\10⤵PID:2040
-
-
-
C:\Program Files (x86)\Common Files\System\de-DE\backup.exe"C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\9⤵PID:1616
-
-
C:\Program Files (x86)\Common Files\System\en-US\update.exe"C:\Program Files (x86)\Common Files\System\en-US\update.exe" C:\Program Files (x86)\Common Files\System\en-US\9⤵PID:2612
-
-
C:\Program Files (x86)\Common Files\System\es-ES\backup.exe"C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\9⤵PID:2820
-
-
C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe"C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\9⤵
- Disables RegEdit via registry modification
PID:2132
-
-
C:\Program Files (x86)\Common Files\System\it-IT\data.exe"C:\Program Files (x86)\Common Files\System\it-IT\data.exe" C:\Program Files (x86)\Common Files\System\it-IT\9⤵PID:3008
-
-
C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\9⤵PID:2600
-
-
C:\Program Files (x86)\Common Files\System\msadc\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\9⤵PID:2940
-
C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\10⤵PID:2428
-
-
C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\10⤵PID:1588
-
-
C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\10⤵PID:900
-
-
C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\10⤵PID:672
-
-
C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\10⤵PID:2864
-
-
C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\10⤵
- System policy modification
PID:2340
-
-
-
C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe"C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\9⤵PID:2160
-
C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe"C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\10⤵
- System policy modification
PID:2892
-
-
-
C:\Program Files (x86)\Common Files\System\Ole DB\data.exe"C:\Program Files (x86)\Common Files\System\Ole DB\data.exe" C:\Program Files (x86)\Common Files\System\Ole DB\9⤵PID:2868
-
C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe"C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\10⤵PID:928
-
-
C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe"C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\10⤵PID:2076
-
-
C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe"C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\10⤵PID:1736
-
-
C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe"C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\10⤵PID:1600
-
-
C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe"C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\10⤵PID:2608
-
-
C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe"C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\10⤵
- Disables RegEdit via registry modification
PID:3064
-
-
-
-
-
C:\Program Files (x86)\Google\backup.exe"C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\7⤵PID:2712
-
C:\Program Files (x86)\Google\CrashReports\backup.exe"C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\8⤵PID:2468
-
-
C:\Program Files (x86)\Google\Temp\backup.exe"C:\Program Files (x86)\Google\Temp\backup.exe" C:\Program Files (x86)\Google\Temp\8⤵PID:3028
-
-
C:\Program Files (x86)\Google\Update\backup.exe"C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\8⤵PID:796
-
C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\9⤵PID:1048
-
-
C:\Program Files (x86)\Google\Update\Download\backup.exe"C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\9⤵PID:1764
-
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\10⤵PID:1184
-
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe"C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\11⤵PID:2476
-
-
-
-
C:\Program Files (x86)\Google\Update\Install\update.exe"C:\Program Files (x86)\Google\Update\Install\update.exe" C:\Program Files (x86)\Google\Update\Install\9⤵PID:2872
-
C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\backup.exe"C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{4EFAFADA-208B-4BC3-8A2E-F71970AC49AC}\10⤵PID:484
-
-
-
C:\Program Files (x86)\Google\Update\Offline\backup.exe"C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\9⤵PID:348
-
-
-
-
C:\Program Files (x86)\Internet Explorer\backup.exe"C:\Program Files (x86)\Internet Explorer\backup.exe" C:\Program Files (x86)\Internet Explorer\7⤵PID:1812
-
C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe"C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\8⤵PID:2156
-
-
C:\Program Files (x86)\Internet Explorer\en-US\backup.exe"C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\8⤵PID:1992
-
-
C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe"C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\8⤵
- Modifies visibility of file extensions in Explorer
PID:2364
-
-
C:\Program Files (x86)\Internet Explorer\fr-FR\System Restore.exe"C:\Program Files (x86)\Internet Explorer\fr-FR\System Restore.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\8⤵PID:1596
-
-
C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe"C:\Program Files (x86)\Internet Explorer\it-IT\backup.exe" C:\Program Files (x86)\Internet Explorer\it-IT\8⤵PID:1400
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\update.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\update.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\8⤵PID:2712
-
-
C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe"C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\8⤵PID:2628
-
-
-
C:\Program Files (x86)\Microsoft Analysis Services\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\7⤵PID:1592
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\8⤵PID:2912
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\9⤵PID:2272
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\10⤵PID:1320
-
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\10⤵PID:1560
-
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\11⤵PID:584
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft Office\backup.exe"C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\7⤵PID:1916
-
C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\8⤵PID:1196
-
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\9⤵PID:1700
-
-
C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\9⤵PID:2772
-
C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe"C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\10⤵PID:1552
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe"C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\8⤵PID:2884
-
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\9⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\9⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe"C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\9⤵PID:2900
-
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\8⤵PID:1236
-
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\9⤵PID:1660
-
C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\update.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\update.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\10⤵PID:672
-
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\System Restore.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\System Restore.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\9⤵PID:484
-
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\10⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\10⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\10⤵
- Disables RegEdit via registry modification
PID:568
-
-
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe"C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\10⤵PID:2836
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\8⤵PID:1716
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\9⤵
- Drops file in Program Files directory
PID:2480 -
C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\10⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\10⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\10⤵PID:1436
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\11⤵PID:2912
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\update.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\12⤵
- System policy modification
PID:2456
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\12⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\System Restore.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\12⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\12⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\12⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\12⤵PID:2576
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\12⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\12⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\12⤵PID:1864
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\12⤵
- Disables RegEdit via registry modification
PID:1680
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\12⤵PID:1512
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\10⤵PID:996
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\10⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\10⤵PID:2800
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1036\9⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\3082\9⤵
- Disables RegEdit via registry modification
PID:2396
-
-
C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\9⤵PID:2760
-
-
C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\9⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\9⤵PID:284
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\9⤵PID:1684
-
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\10⤵PID:752
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\10⤵PID:928
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\9⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\9⤵PID:668
-
C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\10⤵PID:1612
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\9⤵PID:1504
-
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\System Restore.exe"C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\10⤵PID:2764
-
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\11⤵PID:3000
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\FORMS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\FORMS\9⤵PID:2016
-
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\10⤵PID:2772
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\9⤵
- Drops file in Program Files directory
PID:2132 -
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\10⤵PID:1836
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\11⤵PID:1304
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\12⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\System Restore.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\System Restore.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\12⤵PID:496
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\12⤵PID:2932
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\11⤵PID:2908
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\12⤵PID:2536
-
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\10⤵PID:1056
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\11⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\11⤵PID:1316
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\11⤵PID:1980
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\10⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\10⤵PID:2820
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\11⤵
- Drops file in Program Files directory
PID:1552 -
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\12⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\data.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\12⤵PID:348
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\12⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\backup.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\12⤵PID:584
-
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\update.exe"C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\12⤵PID:1612
-
-
-
-
-
-
-
-
C:\Users\backup.exeC:\Users\backup.exe C:\Users\6⤵PID:2544
-
C:\Users\Admin\backup.exeC:\Users\Admin\backup.exe C:\Users\Admin\7⤵PID:328
-
C:\Users\Admin\Contacts\System Restore.exe"C:\Users\Admin\Contacts\System Restore.exe" C:\Users\Admin\Contacts\8⤵PID:1964
-
-
C:\Users\Admin\Desktop\backup.exeC:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\8⤵PID:1612
-
-
C:\Users\Admin\Documents\backup.exeC:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\8⤵PID:1720
-
-
C:\Users\Admin\Downloads\backup.exeC:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\8⤵PID:2576
-
-
C:\Users\Admin\Favorites\backup.exeC:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\8⤵PID:2680
-
-
C:\Users\Admin\Links\backup.exeC:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\8⤵PID:2928
-
-
C:\Users\Admin\Music\backup.exeC:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\8⤵PID:1400
-
-
C:\Users\Admin\Pictures\backup.exeC:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\8⤵PID:2480
-
-
C:\Users\Admin\Saved Games\backup.exe"C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\8⤵PID:2072
-
-
C:\Users\Admin\Searches\backup.exeC:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\8⤵PID:2132
-
-
C:\Users\Admin\Videos\data.exeC:\Users\Admin\Videos\data.exe C:\Users\Admin\Videos\8⤵
- System policy modification
PID:2832
-
-
-
C:\Users\Public\backup.exeC:\Users\Public\backup.exe C:\Users\Public\7⤵PID:1804
-
C:\Users\Public\Documents\System Restore.exe"C:\Users\Public\Documents\System Restore.exe" C:\Users\Public\Documents\8⤵PID:2488
-
-
C:\Users\Public\Downloads\backup.exeC:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\8⤵PID:668
-
-
C:\Users\Public\Music\backup.exeC:\Users\Public\Music\backup.exe C:\Users\Public\Music\8⤵PID:1988
-
C:\Users\Public\Music\Sample Music\backup.exe"C:\Users\Public\Music\Sample Music\backup.exe" C:\Users\Public\Music\Sample Music\9⤵PID:1168
-
-
-
C:\Users\Public\Pictures\backup.exeC:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\8⤵PID:3064
-
C:\Users\Public\Pictures\Sample Pictures\backup.exe"C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\9⤵PID:2800
-
-
-
C:\Users\Public\Recorded TV\backup.exe"C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\8⤵PID:836
-
C:\Users\Public\Recorded TV\Sample Media\backup.exe"C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\9⤵PID:2180
-
-
-
C:\Users\Public\Videos\backup.exeC:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\8⤵PID:2888
-
C:\Users\Public\Videos\Sample Videos\backup.exe"C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\9⤵PID:1544
-
-
-
-
-
C:\Windows\backup.exeC:\Windows\backup.exe C:\Windows\6⤵
- Drops file in Windows directory
PID:2072 -
C:\Windows\addins\backup.exeC:\Windows\addins\backup.exe C:\Windows\addins\7⤵PID:2684
-
-
C:\Windows\AppCompat\backup.exeC:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\7⤵PID:2008
-
-
C:\Windows\AppPatch\backup.exeC:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\7⤵PID:292
-
C:\Windows\AppPatch\AppPatch64\backup.exeC:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\8⤵PID:632
-
-
C:\Windows\AppPatch\Custom\backup.exeC:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\8⤵PID:2844
-
C:\Windows\AppPatch\Custom\Custom64\backup.exeC:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\9⤵
- Modifies visibility of file extensions in Explorer
PID:1636
-
-
-
C:\Windows\AppPatch\de-DE\backup.exeC:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\8⤵PID:836
-
-
C:\Windows\AppPatch\en-US\backup.exeC:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\8⤵PID:1492
-
-
C:\Windows\AppPatch\es-ES\backup.exeC:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\8⤵PID:2236
-
-
C:\Windows\AppPatch\fr-FR\backup.exeC:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\8⤵PID:2356
-
-
C:\Windows\AppPatch\it-IT\backup.exeC:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\8⤵PID:1740
-
-
C:\Windows\AppPatch\ja-JP\backup.exeC:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\8⤵PID:2576
-
-
-
C:\Windows\assembly\data.exeC:\Windows\assembly\data.exe C:\Windows\assembly\7⤵
- Drops file in Windows directory
PID:1988 -
C:\Windows\assembly\GAC\System Restore.exe"C:\Windows\assembly\GAC\System Restore.exe" C:\Windows\assembly\GAC\8⤵PID:2252
-
C:\Windows\assembly\GAC\ADODB\backup.exeC:\Windows\assembly\GAC\ADODB\backup.exe C:\Windows\assembly\GAC\ADODB\9⤵PID:1292
-
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\10⤵PID:2932
-
-
-
C:\Windows\assembly\GAC\Extensibility\backup.exeC:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\9⤵PID:1648
-
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\10⤵PID:2616
-
-
-
C:\Windows\assembly\GAC\Microsoft.Ink\backup.exeC:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\9⤵
- Drops file in Windows directory
PID:1588 -
C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\10⤵PID:1124
-
-
C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\10⤵PID:1720
-
-
-
C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exeC:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\9⤵PID:2240
-
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\10⤵PID:2760
-
-
-
C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exeC:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\9⤵PID:2832
-
C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\10⤵PID:2540
-
-
-
C:\Windows\assembly\GAC\mscomctl\backup.exeC:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\9⤵PID:2160
-
C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\10⤵PID:2572
-
-
-
C:\Windows\assembly\GAC\MSDATASRC\backup.exeC:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\9⤵PID:2128
-
C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\10⤵PID:1560
-
-
-
C:\Windows\assembly\GAC\stdole\backup.exeC:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\9⤵PID:900
-
C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\10⤵PID:3040
-
-
-
-
C:\Windows\assembly\GAC_32\backup.exeC:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\8⤵PID:2144
-
C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exeC:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\9⤵PID:2164
-
C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\data.exeC:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\data.exe C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\10⤵PID:2016
-
-
-
C:\Windows\assembly\GAC_32\BDATunePIA\System Restore.exe"C:\Windows\assembly\GAC_32\BDATunePIA\System Restore.exe" C:\Windows\assembly\GAC_32\BDATunePIA\9⤵PID:2636
-
C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\10⤵PID:292
-
-
-
C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exeC:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\9⤵PID:2300
-
C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\10⤵PID:2244
-
-
-
C:\Windows\assembly\GAC_32\ehexthost32\backup.exeC:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\9⤵
- Drops file in Windows directory
PID:1348 -
C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\10⤵PID:2568
-
-
-
C:\Windows\assembly\GAC_32\ISymWrapper\backup.exeC:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\9⤵PID:1148
-
C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\10⤵PID:2160
-
-
-
C:\Windows\assembly\GAC_32\mcstoredb\backup.exeC:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\9⤵PID:2216
-
C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\10⤵PID:3004
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\9⤵PID:672
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\10⤵PID:1028
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\data.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\data.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\9⤵PID:1632
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\10⤵PID:1644
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\10⤵PID:2016
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\10⤵PID:2652
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\data.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\data.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\10⤵PID:2496
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\10⤵PID:1656
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\10⤵PID:2812
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\9⤵PID:1872
-
C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\10⤵PID:2112
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\9⤵PID:1256
-
C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\10⤵PID:2528
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\9⤵PID:760
-
C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\10⤵PID:2616
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\9⤵PID:1732
-
C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\System Restore.exe"C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\10⤵PID:1980
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\9⤵PID:1608
-
C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\10⤵PID:292
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\9⤵PID:2396
-
C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\10⤵PID:1528
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\9⤵PID:2432
-
C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\10⤵PID:2196
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\backup.exeC:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\backup.exe C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\9⤵PID:2808
-
C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exeC:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\10⤵PID:1788
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\9⤵PID:2464
-
C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\10⤵PID:2236
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\backup.exeC:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\backup.exe C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\9⤵PID:1668
-
C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\Microsoft.VisualStudio.Tools.Applications.InteropAdapter\8.0.0.0__b03f5f7f11d50a3a\10⤵PID:2628
-
-
-
C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\9⤵PID:3004
-
C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\10⤵PID:2952
-
-
-
C:\Windows\assembly\GAC_32\MSBuild\backup.exeC:\Windows\assembly\GAC_32\MSBuild\backup.exe C:\Windows\assembly\GAC_32\MSBuild\9⤵PID:2164
-
C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exeC:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\10⤵PID:2240
-
-
-
C:\Windows\assembly\GAC_32\mscorlib\backup.exeC:\Windows\assembly\GAC_32\mscorlib\backup.exe C:\Windows\assembly\GAC_32\mscorlib\9⤵PID:1516
-
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\backup.exe C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\10⤵PID:576
-
-
-
C:\Windows\assembly\GAC_32\napcrypt\backup.exeC:\Windows\assembly\GAC_32\napcrypt\backup.exe C:\Windows\assembly\GAC_32\napcrypt\9⤵PID:1724
-
C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\napcrypt\6.1.0.0__31bf3856ad364e35\10⤵PID:2180
-
-
-
C:\Windows\assembly\GAC_32\naphlpr\backup.exeC:\Windows\assembly\GAC_32\naphlpr\backup.exe C:\Windows\assembly\GAC_32\naphlpr\9⤵PID:2548
-
C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\naphlpr\6.1.0.0__31bf3856ad364e35\10⤵PID:2692
-
-
-
C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\backup.exeC:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\9⤵PID:2184
-
C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exeC:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\10⤵PID:2484
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exeC:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\Low\backup.exeC:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exeC:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1620485634\backup.exeC:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1620485634\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1620485634\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1620485634\CRX_INSTALL\backup.exeC:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1620485634\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_1620485634\CRX_INSTALL\5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_864416737\backup.exeC:\Users\Admin\AppData\Local\Temp\scoped_dir2060_864416737\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_864416737\4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_864416737\CRX_INSTALL\backup.exeC:\Users\Admin\AppData\Local\Temp\scoped_dir2060_864416737\CRX_INSTALL\backup.exe C:\Users\Admin\AppData\Local\Temp\scoped_dir2060_864416737\CRX_INSTALL\5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2476
-
-
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exeC:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml
Filesize14KB
MD5de4a67a62d589b42774751b5a7ce4e30
SHA17a89f48b8c7acca7b4e6b21d2fc527cb7bdc6a22
SHA25602af5698d15561e6f913d566d30f5e9a5243b73141566b094bc8e9ca48db6579
SHA5121538f0ac7603e5f0071d725e96d560a60355ebf9b823e8b871febd66d0472a541a57ee4f6740a32483e39c378b70c4c48ec493c7d38244f345932b1189a7bfb8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD58156706568e77846b7bfbcc091c6ffeb
SHA1792aa0db64f517520ee8f745bee71152532fe4d2
SHA2565e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8
SHA5128760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD57757fe48a0974cb625e89012c92cc995
SHA1e4684021f14053c3f9526070dc687ff125251162
SHA256c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03
SHA512b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526
-
Filesize
451KB
MD55e5dd308bbe2bde97c1f8c5da26fec67
SHA1e12aeae9f076916a556fa0577561797fc6db4191
SHA2561c1a4052ebc386d5f9ab00d65de2e08a524afe8b9755b29ecd80f6d70fa83c60
SHA5122c6cf421f3c9fa2b03de78ae31f070029a2fee20369ca17019a155d28b630be61d237562727995dfb9e1fdacab7a8ed270af8972dd64a820a683646b023d4095
-
Filesize
640KB
MD5f5e4be15429358049d32b6ad3088e1de
SHA126ee6a079c168e39e9675c15e2483cd22882f2d3
SHA2565065e0cb9395903ada0cd5718cc4b1bef318b11275c1faa4e7302ae8ec11406a
SHA512c2e492f806a60885e95bac67a0e4320db8bc2ed95b4aaedcc807786593a580512265332f3d72f06a8357413fab92287b3af6dc22852dd550a5ce0bc137b8e784
-
Filesize
640KB
MD55a57b65a94c7492557c9d53a106fa2ca
SHA1768f38faaf00c8a925ac3d5f7ccfb14f7ddb568a
SHA256081267c347153a66b84563c327b97c6b37603d14d66a9ce305a29b088c995a5a
SHA5126616358bbbd8642c361c6c1f6ddb8aa096475d30093d5ac88c2debb526a37bb364af52a9d9d42b7e58cfe7effc9ae19923db9bb5d1db9d18a356a96674b44948
-
Filesize
461KB
MD5a81dfc4cd4a1c5847771898e481650b4
SHA16778d3bfeb7a39a912d7775b16d20a9f32fd357e
SHA25659ace68debfd2c48b7ad6b3d5b1805eb42ffbfb01b4af5ac44e5f2dc51d34449
SHA5122291de464b342fd8bcad710401ced908a81d74b92aeb2f98e3a652f0dfe96b22c95b01a49c28de93395082083ab2f59ec0a4535d32a14511e731a1fcaaa7e423
-
Filesize
451KB
MD52f4cc82afd826d87605294e72c73cc85
SHA19073ab832d3bb7467a9259ccaac96071cb3fa254
SHA256098b3202a2d56bc53d9073c83e440063731d8bf95b366814737fc2513e7fd6b0
SHA512b069fc7b4d64eed64337f6acf01d8502b3214d4854109aac46ca17ed565ece1d79ae27b3de34b30fc97168f414780cfcbfe741cb52248761b726a0b399a0d94f
-
Filesize
461KB
MD50809b0f7be30c725e980e8b615f41172
SHA15a7785e53e48e4353d49e5b9bce9050e806a3381
SHA256e6152114cd37a55e30427a3d5bde121fb1bb78c8ebf34df78ba603af77ac86e9
SHA512c4457c49cf1dca07b1ae778e276715e580232c4b46cd0eaf8fb38fc2f11f7107979ed8c041360a6615f0c6271d5ea609b92d7e0c01f1e952628d8ff60775b0ac
-
Filesize
152KB
MD5b5824ba1e9b0d44a6fd248be949463c3
SHA1c8db6c5f029bba0f6cc50902289686b9db2fc663
SHA2568dda3e82328ea910b5c52c4be6dd02f119c4b0314ab38c92dfdfc9b3f7e55d98
SHA512abde1b74d3804f3ffcf7f5fde1c817dd038a577ed1c7ea38e1bb86048d669dae58b61eef9711fbde1e3f5afd87c2414dcb74a5128bc5b463324e70f4e94c5883
-
Filesize
78KB
MD527ad85aaabe539049acf9224a79b1150
SHA16af00b0e57fe4013a2457688526aadf9b1dc0f84
SHA256d7d21d7943f5d462ebcf6516597adc2037ddc903da91c3881275d94be544f9c5
SHA51272adea99a75794cdc604a41348b39fa23e65b465bc038494fa4b9e9eb70286ba5d582f826e5434d790f71898e4ddb60058c507e511a725c25dba39a93c46fa58
-
Filesize
25KB
MD565f55316de7cc6ce09261bc5aa314cfb
SHA1e7d5ad6d809e929708449b50022e3c040b0e0bd2
SHA25665f6f8655a2310694fbcaf4e0337ee675e68ed6a1207a98139a936bc9d62e866
SHA512cd2d9571deba506187333d392192875a50a75f0a80ecb0e09e65a167f49c98158e65e8f3bb3009a71d3e8ed4605586a994df9a49f8dddac513410457e69375da
-
Filesize
22B
MD576cdb2bad9582d23c1f6f4d868218d6c
SHA1b04f3ee8f5e43fa3b162981b50bb72fe1acabb33
SHA2568739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
SHA5125e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f
-
Filesize
10KB
MD5561b9e0a4b6d25a29c05685899bacd28
SHA1fac0ce4ea59eaf9294885b0732874a7a45ce9dd7
SHA256b2e736df142fe82ffe1fd6b5b37b3ae5cec315f81d647a55e082a169a62fbaea
SHA5129d60233edb7c3bb748426fee36c8b5290ca4ead9ed573456933cb9e8a51d32ebe41b5816601c62974347fe5ef0e88dae3d4290a4833933b4e3a4a79526f74fdb
-
Filesize
78KB
MD52e7b255fa78fac7770a2b27bb76daebb
SHA1005018d2bc39fd30b11acb83a43330e66594190e
SHA25606537740e79088374c0776ee1fb1fba6a7ab1ed7ca842f79e8344d9ee885bc43
SHA512543fedab5a0eda8df147ecea9021188da31f8f061ec250a60652daa79a584e08ba94bd23fec43ac41bf900e6badd2be627931d0b6334784938f7dbcedadd615d
-
Filesize
86KB
MD59f7767afdee803532b7764c59702d08b
SHA1348b5431bba5534ee9751f33d8d42e8702802fe2
SHA2561f2fa7b0e5147749a23e6b5680120a805b84ee18b6f2bfb9a2a91789345643c8
SHA5122d20a4dbc037240d258946826f4f172eacbe824be0594f148244dff80080bab033e3af0cfbc3b745fa23ef39f67206fd7e481f72407583bcae8335f8d3f5274d
-
Filesize
78KB
MD5f2ca983533e2c2e0db3bac8222dcfac2
SHA1a736a3a5af56a5a69c73187f8f18d34e6c20875c
SHA25602aee914e2872f7757e964c378d8789e954d9b4b7edfd9164ab2c348e2a15243
SHA51244f195290ae9261045f6fb790bfc28afc4112816fb850f96b06a1f9ceb5166afe376cadd374dbbc5471af50188443a1888b903909f33437b7932779db238d842
-
Filesize
78KB
MD569bb31e8ff2fad1f7ea4f0bee1d51563
SHA104345b9ebdbb2e3a73a53c962681a10529303629
SHA256590451e5c4a267abd7240790f292e924d38795f82c0f40fdf91433c7fd1bd796
SHA5124d77ae951d56b4a1a52f364df75ee394ae9d6ab5827e700f2a88ef8052602c26f60f84966b9d7b6f66c376bcc488cfabb41addcc37ab4be9620f71450746df59
-
Filesize
78KB
MD52204e8a55f0f15c7a38338f7c73824e1
SHA1ac47a7f0d2311f4602ba42a28b46f32e6765a492
SHA256271e305cf580ccd4c9425606e353e777f1cb2e7d8b0bf9a25a36a9c4b695aac2
SHA5122de9d6cc8a688e0f6a2916f87b0909bea0926f7b879655cf046f330a2e0040fa0f4049b4eb791a663c550a78dd2aa45889f4f6687fdc810c1c4da23be97ce96a