bc88a43dc924ed102091d40878d024eba6408525441dc7c59ff2cbaa08b8d0a0

Analysis

max time kernel
120s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 23:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

226e758c6f65e3870d393be67e3a1fe0N.exe
Size

168KB
MD5

226e758c6f65e3870d393be67e3a1fe0
SHA1

553e5dc6cb1403dc80b7b64b16badc6610e28326
SHA256

bc88a43dc924ed102091d40878d024eba6408525441dc7c59ff2cbaa08b8d0a0
SHA512

7cf67cbecaa5b9dfd6a05558406d79a12032f0cf0c4c6e574bd36721b74dee0fd07f5bb39fd0e79cc1bdb89c6b08cbbde8f8c5bfa22dd640debef95e16319638
SSDEEP

1536:9eT7BVwxfvEFwjRbe+X9nw0lRxNm1V2UrEN7gJMVrI:9mVwRKCbe+X5lR302U4kh

Score

10^/10

discovery evasion upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	System Restore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	data.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	update.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	backup.exe

Executes dropped EXE 64 IoCs

pid	Process
2276	backup.exe
2184	backup.exe
2796	backup.exe
2152	backup.exe
2768	System Restore.exe
2560	backup.exe
2736	backup.exe
3016	backup.exe
2244	backup.exe
1984	backup.exe
564	data.exe
2052	backup.exe
2304	backup.exe
924	backup.exe
2320	backup.exe
2188	backup.exe
916	backup.exe
828	backup.exe
2160	backup.exe
1332	backup.exe
2020	backup.exe
2496	backup.exe
596	backup.exe
2456	backup.exe
2512	backup.exe
1632	backup.exe
2144	backup.exe
2288	backup.exe
2884	backup.exe
2792	System Restore.exe
2352	backup.exe
2688	backup.exe
2752	backup.exe
2620	backup.exe
2972	backup.exe
928	backup.exe
2832	backup.exe
2384	data.exe
1696	backup.exe
1812	backup.exe
672	backup.exe
1760	System Restore.exe
2000	backup.exe
2168	backup.exe
1596	backup.exe
1972	backup.exe
1648	System Restore.exe
1976	data.exe
880	backup.exe
108	backup.exe
856	System Restore.exe
1332	backup.exe
1728	backup.exe
824	backup.exe
1692	System Restore.exe
2968	backup.exe
860	backup.exe
1516	backup.exe
2476	backup.exe
3056	backup.exe
2696	backup.exe
2792	backup.exe
2732	backup.exe
1292	backup.exe

Loads dropped DLL 64 IoCs

pid	Process
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
2152	backup.exe
2768	System Restore.exe
2768	System Restore.exe
2560	backup.exe
2152	backup.exe
2560	backup.exe
2736	backup.exe
2736	backup.exe
2768	System Restore.exe
2768	System Restore.exe
2736	backup.exe
2736	backup.exe
1984	backup.exe
1984	backup.exe
2736	backup.exe
2736	backup.exe
2052	backup.exe
2052	backup.exe
2736	backup.exe
2736	backup.exe
2736	backup.exe
1984	backup.exe
1984	backup.exe
2736	backup.exe
2188	backup.exe
2188	backup.exe
2736	backup.exe
2736	backup.exe
828	backup.exe
828	backup.exe
2736	backup.exe
2736	backup.exe
828	backup.exe
828	backup.exe
2736	backup.exe
2736	backup.exe
2496	backup.exe
2496	backup.exe
2736	backup.exe
2736	backup.exe
2496	backup.exe
2496	backup.exe
2736	backup.exe
2736	backup.exe
2496	backup.exe
2496	backup.exe
2736	backup.exe
2736	backup.exe
2496	backup.exe
2496	backup.exe
2496	backup.exe
2736	backup.exe
2496	backup.exe
2736	backup.exe
2496	backup.exe
2496	backup.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000016d58-5.dat	upx
behavioral1/memory/2184-29-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2796-35-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0004000000017801-39.dat	upx
behavioral1/memory/1668-41-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0005000000018f94-51.dat	upx
behavioral1/memory/2276-52-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0015000000016ceb-59.dat	upx
behavioral1/files/0x0005000000018f9a-66.dat	upx
behavioral1/files/0x0005000000018f9e-79.dat	upx
behavioral1/memory/2796-89-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2152-94-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/3016-99-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2560-103-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0006000000018fa2-113.dat	upx
behavioral1/files/0x0005000000018fa6-110.dat	upx
behavioral1/memory/2768-119-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2244-132-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0005000000018fac-142.dat	upx
behavioral1/memory/2736-149-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/564-148-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0005000000018fb5-164.dat	upx
behavioral1/memory/1984-170-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2304-174-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0005000000018fb8-181.dat	upx
behavioral1/memory/2052-191-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0005000000018fc1-195.dat	upx
behavioral1/memory/2320-190-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/924-189-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0007000000018fb6-215.dat	upx
behavioral1/memory/916-228-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2188-245-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2160-252-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1332-258-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2020-270-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/828-272-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/596-290-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2512-302-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2496-308-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2456-310-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2512-309-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2144-326-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1632-329-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2288-348-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2792-350-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2688-368-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2352-377-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2752-383-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2620-396-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2972-395-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2736-403-0x0000000000340000-0x000000000036A000-memory.dmp	upx
behavioral1/memory/928-412-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2832-418-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1696-434-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2384-428-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2736-443-0x0000000000340000-0x000000000036A000-memory.dmp	upx
behavioral1/memory/672-447-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2380-1870-0x0000000000220000-0x0000000000230000-memory.dmp	upx
behavioral1/memory/1300-1882-0x0000000000250000-0x0000000000260000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\System Restore.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\update.exe	update.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\backup.exe	backup.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\update.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe	data.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\backup.exe	backup.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\backup.exe	backup.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe	backup.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\backup.exe	backup.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe	backup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppPatch\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Extensibility\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\backup.exe	backup.exe
File opened for modification	C:\Windows\fr-FR\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_64\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\Cursors\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehCIR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\AspNetMMCExt\System Restore.exe	backup.exe
File opened for modification	C:\Windows\assembly\tmp\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\update.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\ja-JP\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\data.exe	backup.exe
File opened for modification	C:\Windows\CSC\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe	backup.exe
File opened for modification	C:\Windows\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\ISymWrapper\System Restore.exe	backup.exe
File opened for modification	C:\Windows\debug\WIA\backup.exe	backup.exe
File opened for modification	C:\Windows\DigitalLocker\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\ehCIR\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\Components\tables\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe	backup.exe
File opened for modification	C:\Windows\en-US\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\fr-FR\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe	backup.exe
File opened for modification	C:\Windows\de-DE\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe	data.exe
File opened for modification	C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\de-DE\data.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\backup.exe	Process not Found
File opened for modification	C:\Windows\DigitalLocker\es-ES\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\CreateDisc\style\backup.exe	backup.exe
File opened for modification	C:\Windows\ehome\fr-FR\backup.exe	System Restore.exe
File opened for modification	C:\Windows\assembly\GAC\stdole\backup.exe	backup.exe
File opened for modification	C:\Windows\Branding\Basebrd\it-IT\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\backup.exe	backup.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\System Restore.exe	System Restore.exe
File opened for modification	C:\Windows\ehome\CreateDisc\SFXPlugins\update.exe	backup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System Restore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2292	backup.exe
1296	update.exe
2324	backup.exe
520	backup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1668	226e758c6f65e3870d393be67e3a1fe0N.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1668	226e758c6f65e3870d393be67e3a1fe0N.exe
2276	backup.exe
2184	backup.exe
2796	backup.exe
2152	backup.exe
2768	System Restore.exe
2560	backup.exe
2736	backup.exe
3016	backup.exe
2244	backup.exe
1984	backup.exe
564	data.exe
2052	backup.exe
2304	backup.exe
2320	backup.exe
924	backup.exe
2188	backup.exe
916	backup.exe
828	backup.exe
2160	backup.exe
1332	backup.exe
2020	backup.exe
2496	backup.exe
596	backup.exe
2456	backup.exe
2512	backup.exe
1632	backup.exe
2144	backup.exe
2288	backup.exe
2884	backup.exe
2792	System Restore.exe
2688	backup.exe
2352	backup.exe
2752	backup.exe
2620	backup.exe
2972	backup.exe
928	backup.exe
2832	backup.exe
2384	data.exe
1696	backup.exe
1812	backup.exe
672	backup.exe
2000	backup.exe
1760	System Restore.exe
2168	backup.exe
1596	backup.exe
1972	backup.exe
1648	System Restore.exe
1976	data.exe
880	backup.exe
108	backup.exe
856	System Restore.exe
1332	backup.exe
1728	backup.exe
824	backup.exe
1692	System Restore.exe
2968	backup.exe
860	backup.exe
1516	backup.exe
3056	backup.exe
2696	backup.exe
2792	backup.exe
2732	backup.exe
1292	backup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2276	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	30
PID 1668 wrote to memory of 2276	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	30
PID 1668 wrote to memory of 2276	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	30
PID 1668 wrote to memory of 2276	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	30
PID 1668 wrote to memory of 2184	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	31
PID 1668 wrote to memory of 2184	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	31
PID 1668 wrote to memory of 2184	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	31
PID 1668 wrote to memory of 2184	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	31
PID 1668 wrote to memory of 2796	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	32
PID 1668 wrote to memory of 2796	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	32
PID 1668 wrote to memory of 2796	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	32
PID 1668 wrote to memory of 2796	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	32
PID 1668 wrote to memory of 2152	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	33
PID 1668 wrote to memory of 2152	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	33
PID 1668 wrote to memory of 2152	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	33
PID 1668 wrote to memory of 2152	1668	226e758c6f65e3870d393be67e3a1fe0N.exe	33
PID 2276 wrote to memory of 2768	2276	backup.exe	35
PID 2276 wrote to memory of 2768	2276	backup.exe	35
PID 2276 wrote to memory of 2768	2276	backup.exe	35
PID 2276 wrote to memory of 2768	2276	backup.exe	35
PID 2768 wrote to memory of 2560	2768	System Restore.exe	36
PID 2768 wrote to memory of 2560	2768	System Restore.exe	36
PID 2768 wrote to memory of 2560	2768	System Restore.exe	36
PID 2768 wrote to memory of 2560	2768	System Restore.exe	36
PID 2152 wrote to memory of 2736	2152	backup.exe	34
PID 2152 wrote to memory of 2736	2152	backup.exe	34
PID 2152 wrote to memory of 2736	2152	backup.exe	34
PID 2152 wrote to memory of 2736	2152	backup.exe	34
PID 2560 wrote to memory of 3016	2560	backup.exe	37
PID 2560 wrote to memory of 3016	2560	backup.exe	37
PID 2560 wrote to memory of 3016	2560	backup.exe	37
PID 2560 wrote to memory of 3016	2560	backup.exe	37
PID 2736 wrote to memory of 2244	2736	backup.exe	38
PID 2736 wrote to memory of 2244	2736	backup.exe	38
PID 2736 wrote to memory of 2244	2736	backup.exe	38
PID 2736 wrote to memory of 2244	2736	backup.exe	38
PID 2768 wrote to memory of 1984	2768	System Restore.exe	39
PID 2768 wrote to memory of 1984	2768	System Restore.exe	39
PID 2768 wrote to memory of 1984	2768	System Restore.exe	39
PID 2768 wrote to memory of 1984	2768	System Restore.exe	39
PID 2736 wrote to memory of 564	2736	backup.exe	40
PID 2736 wrote to memory of 564	2736	backup.exe	40
PID 2736 wrote to memory of 564	2736	backup.exe	40
PID 2736 wrote to memory of 564	2736	backup.exe	40
PID 1984 wrote to memory of 2052	1984	backup.exe	41
PID 1984 wrote to memory of 2052	1984	backup.exe	41
PID 1984 wrote to memory of 2052	1984	backup.exe	41
PID 1984 wrote to memory of 2052	1984	backup.exe	41
PID 2736 wrote to memory of 2304	2736	backup.exe	42
PID 2736 wrote to memory of 2304	2736	backup.exe	42
PID 2736 wrote to memory of 2304	2736	backup.exe	42
PID 2736 wrote to memory of 2304	2736	backup.exe	42
PID 2052 wrote to memory of 924	2052	backup.exe	43
PID 2052 wrote to memory of 924	2052	backup.exe	43
PID 2052 wrote to memory of 924	2052	backup.exe	43
PID 2052 wrote to memory of 924	2052	backup.exe	43
PID 2736 wrote to memory of 2320	2736	backup.exe	44
PID 2736 wrote to memory of 2320	2736	backup.exe	44
PID 2736 wrote to memory of 2320	2736	backup.exe	44
PID 2736 wrote to memory of 2320	2736	backup.exe	44
PID 1984 wrote to memory of 2188	1984	backup.exe	46
PID 1984 wrote to memory of 2188	1984	backup.exe	46
PID 1984 wrote to memory of 2188	1984	backup.exe	46
PID 1984 wrote to memory of 2188	1984	backup.exe	46

System policy modification 1 TTPs 64 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	update.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	System Restore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	data.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	backup.exe

C:\Users\Admin\AppData\Local\Temp\226e758c6f65e3870d393be67e3a1fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\226e758c6f65e3870d393be67e3a1fe0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\2020447974\backup.exe
  C:\Users\Admin\AppData\Local\Temp\2020447974\backup.exe C:\Users\Admin\AppData\Local\Temp\2020447974\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\System Restore.exe
    "\System Restore.exe" \
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\PerfLogs\backup.exe
      C:\PerfLogs\backup.exe C:\PerfLogs\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\PerfLogs\Admin\backup.exe
        
        C:\PerfLogs\Admin\backup.exe C:\PerfLogs\Admin\
        5⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3016
  - - C:\Program Files\backup.exe
      "C:\Program Files\backup.exe" C:\Program Files\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Program Files\7-Zip\backup.exe
        
        "C:\Program Files\7-Zip\backup.exe" C:\Program Files\7-Zip\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Program Files\7-Zip\Lang\backup.exe
        
        "C:\Program Files\7-Zip\Lang\backup.exe" C:\Program Files\7-Zip\Lang\
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:924
    - - C:\Program Files\Common Files\backup.exe
        
        "C:\Program Files\Common Files\backup.exe" C:\Program Files\Common Files\
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2188
      - C:\Program Files\Common Files\Microsoft Shared\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\backup.exe" C:\Program Files\Common Files\Microsoft Shared\
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:828
        
        C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Filters\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2496
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2456
        
        C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1632
        
        C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2752
        
        C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\en-US\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2832
        
        C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1696
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:672
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1760
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\data.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:108
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\System Restore.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1692
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:860
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\
        9⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3056
        
        C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2792
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1292
        
        C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\
        8⤵
        
        PID:2244
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\
        8⤵
        
        PID:564
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\
        8⤵
        
        PID:2912
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\
        8⤵
        
        PID:956
        
        C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\lv-LV\
        8⤵
        
        PID:780
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\
        8⤵
        
        PID:2908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\
        8⤵
        
        PID:476
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1908
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\
        8⤵
        
        PID:856
        
        C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\
        8⤵
        
        PID:2212
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\
        8⤵
        
        PID:1688
        
        C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\
        8⤵
        
        PID:2812
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\
        8⤵
        
        PID:2876
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\
        8⤵
        
        PID:2668
        
        C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\
        8⤵
        
        PID:1616
        
        C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\
        8⤵
        
        PID:2560
        
        C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\
        8⤵
        
        PID:2384
        
        C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\
        8⤵
        
        PID:2624
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\
        8⤵
        System policy modification
        
        PID:2852
        
        C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\backup.exe" C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\
        8⤵
        System policy modification
        
        PID:2324
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\
        7⤵
        System policy modification
        
        PID:2740
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\
        8⤵
        
        PID:336
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\
        8⤵
        
        PID:2164
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\
        8⤵
        
        PID:700
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\
        8⤵
        
        PID:328
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\
        8⤵
        
        PID:2500
        
        C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\
        8⤵
        
        PID:1936
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\
        7⤵
        System policy modification
        
        PID:2820
        
        C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\
        8⤵
        
        PID:2720
        
        C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2588
        
        C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Stationery\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Stationery\
        7⤵
        
        PID:2268
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2328
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\
        8⤵
        
        PID:1944
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\
        8⤵
        
        PID:2392
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\
        8⤵
        
        PID:824
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\
        8⤵
        
        PID:1304
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\
        8⤵
        
        PID:2672
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\backup.exe" C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\
        8⤵
        
        PID:2376
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\
        7⤵
        Drops file in Program Files directory
        
        PID:2928
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\de-DE\
        8⤵
        
        PID:2072
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\
        8⤵
        
        PID:812
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\fr-FR\
        8⤵
        
        PID:1516
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\backup.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\
        8⤵
        
        PID:2808
        
        C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\update.exe" C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\
        8⤵
        
        PID:1300
        
        C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VC\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VC\
        7⤵
        
        PID:1344
        
        C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VGX\update.exe" C:\Program Files\Common Files\Microsoft Shared\VGX\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\
        7⤵
        
        PID:2936
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\
        8⤵
        
        PID:2788
        
        C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\backup.exe" C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\
        9⤵
        
        PID:2144
      - C:\Program Files\Common Files\Services\update.exe
        
        "C:\Program Files\Common Files\Services\update.exe" C:\Program Files\Common Files\Services\
        6⤵
        
        PID:2560
      - C:\Program Files\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\backup.exe" C:\Program Files\Common Files\SpeechEngines\
        6⤵
        
        PID:992
        
        C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:880
      - C:\Program Files\Common Files\System\backup.exe
        
        "C:\Program Files\Common Files\System\backup.exe" C:\Program Files\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:932
        
        C:\Program Files\Common Files\System\ado\backup.exe
        
        "C:\Program Files\Common Files\System\ado\backup.exe" C:\Program Files\Common Files\System\ado\
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Program Files\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\ado\de-DE\backup.exe" C:\Program Files\Common Files\System\ado\de-DE\
        8⤵
        
        PID:2380
        
        C:\Program Files\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\ado\en-US\backup.exe" C:\Program Files\Common Files\System\ado\en-US\
        8⤵
        
        PID:2616
        
        C:\Program Files\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\ado\es-ES\backup.exe" C:\Program Files\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2496
        
        C:\Program Files\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:108
        
        C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe
        
        "C:\Program Files\Common Files\System\ado\it-IT\System Restore.exe" C:\Program Files\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2240
        
        C:\Program Files\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files\Common Files\System\ado\ja-JP\
        8⤵
        
        PID:2968
        
        C:\Program Files\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\de-DE\backup.exe" C:\Program Files\Common Files\System\de-DE\
        7⤵
        
        PID:2056
        
        C:\Program Files\Common Files\System\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\en-US\backup.exe" C:\Program Files\Common Files\System\en-US\
        7⤵
        
        PID:2592
        
        C:\Program Files\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\es-ES\backup.exe" C:\Program Files\Common Files\System\es-ES\
        7⤵
        
        PID:2280
        
        C:\Program Files\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\fr-FR\backup.exe" C:\Program Files\Common Files\System\fr-FR\
        7⤵
        
        PID:1908
        
        C:\Program Files\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\it-IT\backup.exe" C:\Program Files\Common Files\System\it-IT\
        7⤵
        
        PID:1616
        
        C:\Program Files\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\ja-JP\backup.exe" C:\Program Files\Common Files\System\ja-JP\
        7⤵
        
        PID:2168
        
        C:\Program Files\Common Files\System\msadc\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\backup.exe" C:\Program Files\Common Files\System\msadc\
        7⤵
        Drops file in Program Files directory
        
        PID:1716
        
        C:\Program Files\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:1764
        
        C:\Program Files\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\en-US\backup.exe" C:\Program Files\Common Files\System\msadc\en-US\
        8⤵
        
        PID:888
        
        C:\Program Files\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:1632
        
        C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\fr-FR\backup.exe" C:\Program Files\Common Files\System\msadc\fr-FR\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Program Files\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:1464
        
        C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2820
        
        C:\Program Files\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\backup.exe" C:\Program Files\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:2956
        
        C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files\Common Files\System\Ole DB\de-DE\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2928
        
        C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files\Common Files\System\Ole DB\en-US\
        8⤵
        
        PID:2136
        
        C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1944
        
        C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe
        
        "C:\Program Files\Common Files\System\Ole DB\fr-FR\data.exe" C:\Program Files\Common Files\System\Ole DB\fr-FR\
        8⤵
        System policy modification
        
        PID:2496
        
        C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:2452
        
        C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe
        
        "C:\Program Files\Common Files\System\Ole DB\ja-JP\backup.exe" C:\Program Files\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1764
    - - C:\Program Files\DVD Maker\backup.exe
        
        "C:\Program Files\DVD Maker\backup.exe" C:\Program Files\DVD Maker\
        5⤵
        
        PID:2612
      - C:\Program Files\DVD Maker\de-DE\backup.exe
        
        "C:\Program Files\DVD Maker\de-DE\backup.exe" C:\Program Files\DVD Maker\de-DE\
        6⤵
        
        PID:672
      - C:\Program Files\DVD Maker\en-US\backup.exe
        
        "C:\Program Files\DVD Maker\en-US\backup.exe" C:\Program Files\DVD Maker\en-US\
        6⤵
        System policy modification
        
        PID:780
      - C:\Program Files\DVD Maker\es-ES\backup.exe
        
        "C:\Program Files\DVD Maker\es-ES\backup.exe" C:\Program Files\DVD Maker\es-ES\
        6⤵
        
        PID:3044
      - C:\Program Files\DVD Maker\fr-FR\backup.exe
        
        "C:\Program Files\DVD Maker\fr-FR\backup.exe" C:\Program Files\DVD Maker\fr-FR\
        6⤵
        
        PID:2144
      - C:\Program Files\DVD Maker\it-IT\backup.exe
        
        "C:\Program Files\DVD Maker\it-IT\backup.exe" C:\Program Files\DVD Maker\it-IT\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Program Files\DVD Maker\ja-JP\backup.exe
        
        "C:\Program Files\DVD Maker\ja-JP\backup.exe" C:\Program Files\DVD Maker\ja-JP\
        6⤵
        
        PID:1132
      - C:\Program Files\DVD Maker\Shared\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\backup.exe" C:\Program Files\DVD Maker\Shared\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1260
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\
        7⤵
        Drops file in Program Files directory
        
        PID:1176
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\
        8⤵
        
        PID:1648
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\
        8⤵
        
        PID:1280
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\
        8⤵
        System policy modification
        
        PID:824
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Full\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Full\
        8⤵
        
        PID:1956
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\System Restore.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\System Restore.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\
        8⤵
        
        PID:2672
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\
        8⤵
        
        PID:1300
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\
        8⤵
        
        PID:2652
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\
        8⤵
        System policy modification
        
        PID:2060
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\
        8⤵
        
        PID:1736
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Push\update.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Push\
        8⤵
        
        PID:2040
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\
        8⤵
        
        PID:3036
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\
        8⤵
        
        PID:2680
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\
        8⤵
        
        PID:2792
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\
        8⤵
        
        PID:2720
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\
        8⤵
        
        PID:2052
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\
        8⤵
        
        PID:2520
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\
        8⤵
        
        PID:2600
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\
        8⤵
        
        PID:2696
        
        C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\backup.exe" C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\
        8⤵
        
        PID:1332
    - - C:\Program Files\Google\backup.exe
        
        "C:\Program Files\Google\backup.exe" C:\Program Files\Google\
        5⤵
        
        PID:1004
      - C:\Program Files\Google\Chrome\backup.exe
        
        "C:\Program Files\Google\Chrome\backup.exe" C:\Program Files\Google\Chrome\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Program Files\Google\Chrome\Application\System Restore.exe
        
        "C:\Program Files\Google\Chrome\Application\System Restore.exe" C:\Program Files\Google\Chrome\Application\
        7⤵
        
        PID:2924
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\
        8⤵
        
        PID:2376
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:540
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\
        9⤵
        
        PID:1668
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\
        9⤵
        
        PID:328
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\
        9⤵
        
        PID:744
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\
        9⤵
        
        PID:2652
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\
        9⤵
        
        PID:3056
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\
        9⤵
        
        PID:2672
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\update.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\update.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\
        10⤵
        
        PID:2288
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\backup.exe" C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\
        11⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1708
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\backup.exe" C:\Program Files\Google\Chrome\Application\SetupMetrics\
        8⤵
        
        PID:2100
    - - C:\Program Files\Internet Explorer\backup.exe
        
        "C:\Program Files\Internet Explorer\backup.exe" C:\Program Files\Internet Explorer\
        5⤵
        
        PID:1848
      - C:\Program Files\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files\Internet Explorer\de-DE\backup.exe" C:\Program Files\Internet Explorer\de-DE\
        6⤵
        
        PID:2000
      - C:\Program Files\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files\Internet Explorer\en-US\backup.exe" C:\Program Files\Internet Explorer\en-US\
        6⤵
        
        PID:1644
      - C:\Program Files\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files\Internet Explorer\es-ES\backup.exe" C:\Program Files\Internet Explorer\es-ES\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
      - C:\Program Files\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\backup.exe" C:\Program Files\Internet Explorer\fr-FR\
        6⤵
        
        PID:936
      - C:\Program Files\Internet Explorer\images\backup.exe
        
        "C:\Program Files\Internet Explorer\images\backup.exe" C:\Program Files\Internet Explorer\images\
        6⤵
        
        PID:2556
      - C:\Program Files\Internet Explorer\it-IT\backup.exe
        
        "C:\Program Files\Internet Explorer\it-IT\backup.exe" C:\Program Files\Internet Explorer\it-IT\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:576
      - C:\Program Files\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\backup.exe" C:\Program Files\Internet Explorer\ja-JP\
        6⤵
        
        PID:2644
      - C:\Program Files\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files\Internet Explorer\SIGNUP\backup.exe" C:\Program Files\Internet Explorer\SIGNUP\
        6⤵
        
        PID:952
    - - C:\Program Files\Java\backup.exe
        
        "C:\Program Files\Java\backup.exe" C:\Program Files\Java\
        5⤵
        Drops file in Program Files directory
        
        PID:2124
      - C:\Program Files\Java\jdk1.7.0_80\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\backup.exe" C:\Program Files\Java\jdk1.7.0_80\
        6⤵
        Drops file in Program Files directory
        
        PID:3032
        
        C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\bin\
        7⤵
        
        PID:1096
        
        C:\Program Files\Java\jdk1.7.0_80\db\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\
        7⤵
        
        PID:2952
        
        C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\bin\
        8⤵
        
        PID:2728
        
        C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\db\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\db\lib\
        8⤵
        
        PID:2112
        
        C:\Program Files\Java\jdk1.7.0_80\include\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\
        7⤵
        
        PID:1844
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\
        8⤵
        
        PID:2196
        
        C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\backup.exe" C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\
        7⤵
        
        PID:1548
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\
        9⤵
        
        PID:2812
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\
        9⤵
        
        PID:2140
        
        C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\
        8⤵
        Drops file in Program Files directory
        
        PID:1952
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\
        9⤵
        
        PID:2448
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\
        9⤵
        
        PID:3004
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\data.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\
        9⤵
        
        PID:2972
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\
        9⤵
        
        PID:860
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\
        9⤵
        
        PID:2772
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\
        9⤵
        System policy modification
        
        PID:2904
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\
        9⤵
        
        PID:2992
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\
        10⤵
        
        PID:2564
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\
        9⤵
        
        PID:2392
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\
        9⤵
        
        PID:2628
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\
        9⤵
        
        PID:2716
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\
        9⤵
        
        PID:1028
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\
        10⤵
        
        PID:2652
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\
        10⤵
        Drops file in Program Files directory
        
        PID:2056
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\
        11⤵
        
        PID:2828
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\
        11⤵
        System policy modification
        
        PID:596
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\
        11⤵
        System policy modification
        
        PID:1856
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\
        11⤵
        
        PID:2692
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\
        10⤵
        
        PID:2784
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\
        10⤵
        
        PID:2980
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\
        10⤵
        
        PID:1080
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\
        10⤵
        
        PID:1280
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\
        10⤵
        
        PID:2732
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\
        10⤵
        
        PID:1964
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\
        10⤵
        
        PID:520
        
        C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\backup.exe" C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:2128
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\
        8⤵
        Drops file in Program Files directory
        
        PID:1624
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\
        9⤵
        
        PID:2632
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\
        10⤵
        System policy modification
        
        PID:740
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\
        10⤵
        
        PID:2924
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\
        9⤵
        
        PID:2512
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\
        10⤵
        
        PID:1568
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\
        10⤵
        
        PID:1900
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\
        10⤵
        
        PID:564
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\
        10⤵
        
        PID:2744
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\
        10⤵
        
        PID:2460
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\
        10⤵
        
        PID:2124
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\
        10⤵
        
        PID:2748
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\
        10⤵
        
        PID:2008
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\
        11⤵
        
        PID:2492
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\
        10⤵
        
        PID:2392
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\
        11⤵
        System policy modification
        
        PID:2976
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\
        10⤵
        
        PID:2668
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\
        9⤵
        
        PID:2060
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\
        10⤵
        
        PID:1364
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\
        11⤵
        
        PID:2956
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\
        12⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\
        10⤵
        Drops file in Program Files directory
        
        PID:2296
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\
        11⤵
        
        PID:1636
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\
        12⤵
        
        PID:880
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\
        9⤵
        
        PID:1612
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\
        10⤵
        Drops file in Program Files directory
        
        PID:1664
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\
        11⤵
        
        PID:2052
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\
        12⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3056
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\
        13⤵
        
        PID:1028
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\
        13⤵
        
        PID:1368
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\
        13⤵
        System policy modification
        
        PID:828
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\
        11⤵
        
        PID:1228
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\
        11⤵
        
        PID:2164
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\
        10⤵
        
        PID:2756
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\
        11⤵
        
        PID:1776
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\
        11⤵
        
        PID:1672
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\
        11⤵
        
        PID:3032
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\
        11⤵
        
        PID:3024
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\
        10⤵
        
        PID:2480
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\
        11⤵
        
        PID:2500
        
        C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\
        10⤵
        
        PID:2996
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\
        8⤵
        
        PID:1472
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\
        9⤵
        System policy modification
        
        PID:2788
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\
        9⤵
        
        PID:1100
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\
        10⤵
        
        PID:2068
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\
        11⤵
        
        PID:2000
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\
        11⤵
        
        PID:2448
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\
        10⤵
        
        PID:2788
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\
        11⤵
        
        PID:2524
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\
        10⤵
        
        PID:2792
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\
        11⤵
        
        PID:2320
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\
        10⤵
        
        PID:1516
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\
        11⤵
        
        PID:1076
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\
        12⤵
        
        PID:2744
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\
        11⤵
        
        PID:2440
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\
        10⤵
        
        PID:2384
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\
        10⤵
        System policy modification
        
        PID:2536
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\
        11⤵
        
        PID:1812
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\
        10⤵
        
        PID:2676
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\
        11⤵
        System policy modification
        
        PID:2796
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\System Restore.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\System Restore.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\
        12⤵
        System policy modification
        
        PID:1496
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\
        13⤵
        
        PID:2068
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\
        12⤵
        
        PID:2316
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\
        13⤵
        
        PID:2784
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\
        11⤵
        
        PID:672
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\
        10⤵
        
        PID:2464
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\
        11⤵
        System policy modification
        
        PID:2616
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\
        10⤵
        
        PID:2280
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\
        9⤵
        
        PID:1380
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\
        11⤵
        
        PID:2972
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\
        10⤵
        
        PID:2648
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\
        11⤵
        
        PID:1132
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\backup.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\update.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\update.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\
        11⤵
        
        PID:760
        
        C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\data.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\data.exe" C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\
        10⤵
        
        PID:1568
      - C:\Program Files\Java\jre7\backup.exe
        
        "C:\Program Files\Java\jre7\backup.exe" C:\Program Files\Java\jre7\
        6⤵
        
        PID:2676
        
        C:\Program Files\Java\jre7\bin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\backup.exe" C:\Program Files\Java\jre7\bin\
        7⤵
        
        PID:2480
        
        C:\Program Files\Java\jre7\bin\dtplugin\backup.exe
        
        "C:\Program Files\Java\jre7\bin\dtplugin\backup.exe" C:\Program Files\Java\jre7\bin\dtplugin\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1276
        
        C:\Program Files\Java\jre7\bin\plugin2\backup.exe
        
        "C:\Program Files\Java\jre7\bin\plugin2\backup.exe" C:\Program Files\Java\jre7\bin\plugin2\
        8⤵
        
        PID:108
        
        C:\Program Files\Java\jre7\bin\server\backup.exe
        
        "C:\Program Files\Java\jre7\bin\server\backup.exe" C:\Program Files\Java\jre7\bin\server\
        8⤵
        
        PID:2152
        
        C:\Program Files\Java\jre7\lib\backup.exe
        
        "C:\Program Files\Java\jre7\lib\backup.exe" C:\Program Files\Java\jre7\lib\
        7⤵
        Drops file in Program Files directory
        
        PID:1232
        
        C:\Program Files\Java\jre7\lib\amd64\backup.exe
        
        "C:\Program Files\Java\jre7\lib\amd64\backup.exe" C:\Program Files\Java\jre7\lib\amd64\
        8⤵
        
        PID:1720
        
        C:\Program Files\Java\jre7\lib\applet\backup.exe
        
        "C:\Program Files\Java\jre7\lib\applet\backup.exe" C:\Program Files\Java\jre7\lib\applet\
        8⤵
        
        PID:880
        
        C:\Program Files\Java\jre7\lib\cmm\backup.exe
        
        "C:\Program Files\Java\jre7\lib\cmm\backup.exe" C:\Program Files\Java\jre7\lib\cmm\
        8⤵
        
        PID:2240
        
        C:\Program Files\Java\jre7\lib\deploy\backup.exe
        
        "C:\Program Files\Java\jre7\lib\deploy\backup.exe" C:\Program Files\Java\jre7\lib\deploy\
        8⤵
        
        PID:1316
        
        C:\Program Files\Java\jre7\lib\ext\backup.exe
        
        "C:\Program Files\Java\jre7\lib\ext\backup.exe" C:\Program Files\Java\jre7\lib\ext\
        8⤵
        
        PID:2724
        
        C:\Program Files\Java\jre7\lib\fonts\backup.exe
        
        "C:\Program Files\Java\jre7\lib\fonts\backup.exe" C:\Program Files\Java\jre7\lib\fonts\
        8⤵
        
        PID:3056
        
        C:\Program Files\Java\jre7\lib\images\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\backup.exe" C:\Program Files\Java\jre7\lib\images\
        8⤵
        
        PID:1444
        
        C:\Program Files\Java\jre7\lib\images\cursors\backup.exe
        
        "C:\Program Files\Java\jre7\lib\images\cursors\backup.exe" C:\Program Files\Java\jre7\lib\images\cursors\
        9⤵
        
        PID:1996
        
        C:\Program Files\Java\jre7\lib\jfr\backup.exe
        
        "C:\Program Files\Java\jre7\lib\jfr\backup.exe" C:\Program Files\Java\jre7\lib\jfr\
        8⤵
        
        PID:932
        
        C:\Program Files\Java\jre7\lib\management\backup.exe
        
        "C:\Program Files\Java\jre7\lib\management\backup.exe" C:\Program Files\Java\jre7\lib\management\
        8⤵
        
        PID:2384
        
        C:\Program Files\Java\jre7\lib\security\backup.exe
        
        "C:\Program Files\Java\jre7\lib\security\backup.exe" C:\Program Files\Java\jre7\lib\security\
        8⤵
        
        PID:580
        
        C:\Program Files\Java\jre7\lib\zi\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\backup.exe" C:\Program Files\Java\jre7\lib\zi\
        8⤵
        Drops file in Program Files directory
        
        PID:1928
        
        C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Africa\backup.exe" C:\Program Files\Java\jre7\lib\zi\Africa\
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:908
        
        C:\Program Files\Java\jre7\lib\zi\America\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\
        9⤵
        Drops file in Program Files directory
        
        PID:2028
        
        C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Argentina\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Argentina\
        10⤵
        
        PID:2020
        
        C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Indiana\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Indiana\
        10⤵
        
        PID:2676
        
        C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\America\Kentucky\backup.exe" C:\Program Files\Java\jre7\lib\zi\America\Kentucky\
        10⤵
        
        PID:2780
        
        C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe
        
        "C:\Program Files\Java\jre7\lib\zi\Antarctica\backup.exe" C:\Program Files\Java\jre7\lib\zi\Antarctica\
        9⤵
        
        PID:1536
    - - C:\Program Files\Microsoft Games\backup.exe
        
        "C:\Program Files\Microsoft Games\backup.exe" C:\Program Files\Microsoft Games\
        5⤵
        Drops file in Program Files directory
        
        PID:2444
      - C:\Program Files\Microsoft Games\Chess\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\backup.exe" C:\Program Files\Microsoft Games\Chess\
        6⤵
        
        PID:564
        
        C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\de-DE\backup.exe" C:\Program Files\Microsoft Games\Chess\de-DE\
        7⤵
        
        PID:2244
        
        C:\Program Files\Microsoft Games\Chess\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\en-US\backup.exe" C:\Program Files\Microsoft Games\Chess\en-US\
        7⤵
        System policy modification
        
        PID:2092
        
        C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\es-ES\backup.exe" C:\Program Files\Microsoft Games\Chess\es-ES\
        7⤵
        
        PID:2756
        
        C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Chess\fr-FR\
        7⤵
        
        PID:2508
        
        C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\it-IT\backup.exe" C:\Program Files\Microsoft Games\Chess\it-IT\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Chess\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Chess\ja-JP\
        7⤵
        
        PID:2364
      - C:\Program Files\Microsoft Games\FreeCell\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\backup.exe" C:\Program Files\Microsoft Games\FreeCell\
        6⤵
        
        PID:2044
        
        C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\de-DE\backup.exe" C:\Program Files\Microsoft Games\FreeCell\de-DE\
        7⤵
        
        PID:576
        
        C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\en-US\backup.exe" C:\Program Files\Microsoft Games\FreeCell\en-US\
        7⤵
        
        PID:2660
        
        C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\es-ES\backup.exe" C:\Program Files\Microsoft Games\FreeCell\es-ES\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1264
        
        C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\fr-FR\backup.exe" C:\Program Files\Microsoft Games\FreeCell\fr-FR\
        7⤵
        
        PID:2168
        
        C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\it-IT\backup.exe" C:\Program Files\Microsoft Games\FreeCell\it-IT\
        7⤵
        
        PID:3032
        
        C:\Program Files\Microsoft Games\FreeCell\ja-JP\System Restore.exe
        
        "C:\Program Files\Microsoft Games\FreeCell\ja-JP\System Restore.exe" C:\Program Files\Microsoft Games\FreeCell\ja-JP\
        7⤵
        
        PID:788
      - C:\Program Files\Microsoft Games\Hearts\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\backup.exe" C:\Program Files\Microsoft Games\Hearts\
        6⤵
        
        PID:2376
        
        C:\Program Files\Microsoft Games\Hearts\de-DE\data.exe
        
        "C:\Program Files\Microsoft Games\Hearts\de-DE\data.exe" C:\Program Files\Microsoft Games\Hearts\de-DE\
        7⤵
        
        PID:2252
        
        C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\en-US\backup.exe" C:\Program Files\Microsoft Games\Hearts\en-US\
        7⤵
        System policy modification
        
        PID:3044
        
        C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\es-ES\backup.exe" C:\Program Files\Microsoft Games\Hearts\es-ES\
        7⤵
        
        PID:308
        
        C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Hearts\fr-FR\
        7⤵
        
        PID:520
        
        C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\it-IT\backup.exe" C:\Program Files\Microsoft Games\Hearts\it-IT\
        7⤵
        
        PID:2240
        
        C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Hearts\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Hearts\ja-JP\
        7⤵
        System policy modification
        
        PID:2600
      - C:\Program Files\Microsoft Games\Mahjong\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\backup.exe" C:\Program Files\Microsoft Games\Mahjong\
        6⤵
        
        PID:944
        
        C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\de-DE\backup.exe" C:\Program Files\Microsoft Games\Mahjong\de-DE\
        7⤵
        
        PID:2348
        
        C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\en-US\backup.exe" C:\Program Files\Microsoft Games\Mahjong\en-US\
        7⤵
        
        PID:840
        
        C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\es-ES\backup.exe" C:\Program Files\Microsoft Games\Mahjong\es-ES\
        7⤵
        
        PID:736
        
        C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Mahjong\fr-FR\
        7⤵
        
        PID:1996
        
        C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\it-IT\backup.exe" C:\Program Files\Microsoft Games\Mahjong\it-IT\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1724
        
        C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Mahjong\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Mahjong\ja-JP\
        7⤵
        
        PID:840
      - C:\Program Files\Microsoft Games\Minesweeper\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\
        6⤵
        
        PID:1784
        
        C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\de-DE\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\de-DE\
        7⤵
        
        PID:2908
        
        C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\en-US\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\en-US\
        7⤵
        
        PID:3000
        
        C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\es-ES\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\es-ES\
        7⤵
        
        PID:564
        
        C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\fr-FR\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\fr-FR\
        7⤵
        
        PID:2772
        
        C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\it-IT\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\it-IT\
        7⤵
        
        PID:2056
        
        C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe
        
        "C:\Program Files\Microsoft Games\Minesweeper\ja-JP\backup.exe" C:\Program Files\Microsoft Games\Minesweeper\ja-JP\
        7⤵
        
        PID:2088
      - C:\Program Files\Microsoft Games\More Games\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\backup.exe" C:\Program Files\Microsoft Games\More Games\
        6⤵
        Drops file in Program Files directory
        
        PID:1692
        
        C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\de-DE\backup.exe" C:\Program Files\Microsoft Games\More Games\de-DE\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2976
        
        C:\Program Files\Microsoft Games\More Games\en-US\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\en-US\backup.exe" C:\Program Files\Microsoft Games\More Games\en-US\
        7⤵
        
        PID:840
        
        C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\es-ES\backup.exe" C:\Program Files\Microsoft Games\More Games\es-ES\
        7⤵
        
        PID:2100
        
        C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe
        
        "C:\Program Files\Microsoft Games\More Games\fr-FR\backup.exe" C:\Program Files\Microsoft Games\More Games\fr-FR\
        7⤵
        
        PID:2644
      - C:\Program Files\Microsoft Games\Multiplayer\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\
        6⤵
        
        PID:1720
        
        C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe
        
        "C:\Program Files\Microsoft Games\Multiplayer\Backgammon\backup.exe" C:\Program Files\Microsoft Games\Multiplayer\Backgammon\
        7⤵
        
        PID:1624
    - - C:\Program Files\Microsoft Office\backup.exe
        
        "C:\Program Files\Microsoft Office\backup.exe" C:\Program Files\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:828
      - C:\Program Files\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\backup.exe" C:\Program Files\Microsoft Office\Office14\
        6⤵
        
        PID:2696
        
        C:\Program Files\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\backup.exe" C:\Program Files\Microsoft Office\Office14\1033\
        7⤵
        
        PID:596
    - - C:\Program Files\Mozilla Firefox\backup.exe
        
        "C:\Program Files\Mozilla Firefox\backup.exe" C:\Program Files\Mozilla Firefox\
        5⤵
        
        PID:2876
      - C:\Program Files\Mozilla Firefox\browser\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\backup.exe" C:\Program Files\Mozilla Firefox\browser\
        6⤵
        
        PID:1688
        
        C:\Program Files\Mozilla Firefox\browser\features\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\features\backup.exe" C:\Program Files\Mozilla Firefox\browser\features\
        7⤵
        
        PID:1848
        
        C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe
        
        "C:\Program Files\Mozilla Firefox\browser\VisualElements\backup.exe" C:\Program Files\Mozilla Firefox\browser\VisualElements\
        7⤵
        
        PID:2620
      - C:\Program Files\Mozilla Firefox\defaults\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\backup.exe" C:\Program Files\Mozilla Firefox\defaults\
        6⤵
        
        PID:2892
        
        C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe
        
        "C:\Program Files\Mozilla Firefox\defaults\pref\backup.exe" C:\Program Files\Mozilla Firefox\defaults\pref\
        7⤵
        
        PID:2708
      - C:\Program Files\Mozilla Firefox\fonts\backup.exe
        
        "C:\Program Files\Mozilla Firefox\fonts\backup.exe" C:\Program Files\Mozilla Firefox\fonts\
        6⤵
        
        PID:2688
      - C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\
        6⤵
        
        PID:2364
        
        C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe
        
        "C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backup.exe" C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\
        7⤵
        
        PID:1280
      - C:\Program Files\Mozilla Firefox\uninstall\backup.exe
        
        "C:\Program Files\Mozilla Firefox\uninstall\backup.exe" C:\Program Files\Mozilla Firefox\uninstall\
        6⤵
        
        PID:1264
    - - C:\Program Files\MSBuild\backup.exe
        
        "C:\Program Files\MSBuild\backup.exe" C:\Program Files\MSBuild\
        5⤵
        
        PID:2092
      - C:\Program Files\MSBuild\Microsoft\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\backup.exe" C:\Program Files\MSBuild\Microsoft\
        6⤵
        
        PID:940
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\
        7⤵
        
        PID:2244
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\
        8⤵
        
        PID:928
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\backup.exe" C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\
        8⤵
        
        PID:2040
    - - C:\Program Files\Reference Assemblies\backup.exe
        
        "C:\Program Files\Reference Assemblies\backup.exe" C:\Program Files\Reference Assemblies\
        5⤵
        
        PID:1292
      - C:\Program Files\Reference Assemblies\Microsoft\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\data.exe" C:\Program Files\Reference Assemblies\Microsoft\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\data.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\data.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\
        7⤵
        Drops file in Program Files directory
        
        PID:1944
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
        8⤵
        
        PID:1332
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2728
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\
        9⤵
        
        PID:540
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\
        9⤵
        
        PID:2948
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\
        9⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\
        9⤵
        
        PID:2172
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\
        8⤵
        System policy modification
        
        PID:1704
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\
        9⤵
        
        PID:1472
        
        C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe
        
        "C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\backup.exe" C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\
        9⤵
        
        PID:2312
    - - C:\Program Files\VideoLAN\backup.exe
        
        "C:\Program Files\VideoLAN\backup.exe" C:\Program Files\VideoLAN\
        5⤵
        
        PID:2136
      - C:\Program Files\VideoLAN\VLC\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\backup.exe" C:\Program Files\VideoLAN\VLC\
        6⤵
        Drops file in Program Files directory
        
        PID:2956
        
        C:\Program Files\VideoLAN\VLC\hrtfs\System Restore.exe
        
        "C:\Program Files\VideoLAN\VLC\hrtfs\System Restore.exe" C:\Program Files\VideoLAN\VLC\hrtfs\
        7⤵
        
        PID:2152
        
        C:\Program Files\VideoLAN\VLC\locale\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\backup.exe" C:\Program Files\VideoLAN\VLC\locale\
        7⤵
        
        PID:1616
        
        C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe
        
        "C:\Program Files\VideoLAN\VLC\locale\ach\backup.exe" C:\Program Files\VideoLAN\VLC\locale\ach\
        8⤵
        Drops file in Program Files directory
        
        PID:2568
    - - C:\Program Files\Windows Defender\backup.exe
        
        "C:\Program Files\Windows Defender\backup.exe" C:\Program Files\Windows Defender\
        5⤵
        
        PID:1696
      - C:\Program Files\Windows Defender\de-DE\backup.exe
        
        "C:\Program Files\Windows Defender\de-DE\backup.exe" C:\Program Files\Windows Defender\de-DE\
        6⤵
        
        PID:856
      - C:\Program Files\Windows Defender\en-US\backup.exe
        
        "C:\Program Files\Windows Defender\en-US\backup.exe" C:\Program Files\Windows Defender\en-US\
        6⤵
        
        PID:596
  - - C:\Program Files (x86)\backup.exe
      "C:\Program Files (x86)\backup.exe" C:\Program Files (x86)\
      4⤵
      Drops file in Program Files directory
      PID:1492
    - - C:\Program Files (x86)\Adobe\backup.exe
        
        "C:\Program Files (x86)\Adobe\backup.exe" C:\Program Files (x86)\Adobe\
        5⤵
        
        PID:2064
      - C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\
        6⤵
        Drops file in Program Files directory
        
        PID:2460
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Esl\
        7⤵
        
        PID:1900
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\data.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\
        7⤵
        
        PID:2664
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\
        8⤵
        
        PID:2884
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\
        8⤵
        
        PID:2720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\
        8⤵
        
        PID:1204
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\
        8⤵
        Drops file in Program Files directory
        
        PID:2268
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\
        9⤵
        
        PID:1388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\
        8⤵
        
        PID:888
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\
        8⤵
        
        PID:2704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\
        9⤵
        
        PID:2192
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\
        8⤵
        
        PID:2588
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\
        8⤵
        
        PID:2172
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\
        9⤵
        
        PID:1856
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\
        10⤵
        
        PID:2492
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\
        9⤵
        
        PID:740
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\
        10⤵
        
        PID:2712
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\
        11⤵
        
        PID:2440
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\
        9⤵
        
        PID:2628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\
        10⤵
        
        PID:2384
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\
        9⤵
        
        PID:1920
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\
        10⤵
        
        PID:2272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\
        8⤵
        
        PID:2284
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\
        9⤵
        
        PID:3032
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\
        8⤵
        
        PID:2944
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\
        7⤵
        
        PID:1568
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\
        8⤵
        
        PID:2604
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\
        9⤵
        
        PID:2668
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\
        8⤵
        
        PID:2544
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\
        9⤵
        
        PID:2340
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\
        9⤵
        
        PID:2652
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\
        10⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1804
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\
        8⤵
        
        PID:1772
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\
        8⤵
        Drops file in Program Files directory
        
        PID:2156
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\
        9⤵
        
        PID:1576
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\
        10⤵
        
        PID:2300
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\
        10⤵
        Drops file in Program Files directory
        System Network Configuration Discovery: Internet Connection Discovery
        System policy modification
        
        PID:2292
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\update.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1296
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:520
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\
        7⤵
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\backup.exe" C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\
        8⤵
        
        PID:1700
    - - C:\Program Files (x86)\Common Files\backup.exe
        
        "C:\Program Files (x86)\Common Files\backup.exe" C:\Program Files (x86)\Common Files\
        5⤵
        Drops file in Program Files directory
        
        PID:1688
      - C:\Program Files (x86)\Common Files\Adobe\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\backup.exe" C:\Program Files (x86)\Common Files\Adobe\
        6⤵
        Drops file in Program Files directory
        
        PID:2692
        
        C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Acrobat\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Acrobat\
        7⤵
        
        PID:2080
        
        C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\
        7⤵
        
        PID:680
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\
        9⤵
        
        PID:1624
        
        C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\data.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\data.exe" C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\
        10⤵
        
        PID:1976
        
        C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe\Updater6\backup.exe" C:\Program Files (x86)\Common Files\Adobe\Updater6\
        7⤵
        
        PID:1344
      - C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\
        6⤵
        
        PID:2044
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\update.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\update.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\
        7⤵
        
        PID:1248
        
        C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\backup.exe" C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\
        8⤵
        
        PID:2956
      - C:\Program Files (x86)\Common Files\DESIGNER\backup.exe
        
        "C:\Program Files (x86)\Common Files\DESIGNER\backup.exe" C:\Program Files (x86)\Common Files\DESIGNER\
        6⤵
        
        PID:1752
      - C:\Program Files (x86)\Common Files\microsoft shared\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\
        6⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:2268
        
        C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DAO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DAO\
        7⤵
        
        PID:848
        
        C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\DW\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\DW\
        7⤵
        
        PID:2928
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\
        7⤵
        
        PID:3024
        
        C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\
        8⤵
        
        PID:2960
        
        C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\EURO\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\EURO\
        7⤵
        
        PID:1668
        
        C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Filters\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Filters\
        7⤵
        
        PID:2800
        
        C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\
        7⤵
        
        PID:744
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\
        7⤵
        Drops file in Program Files directory
        
        PID:2652
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\
        8⤵
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\
        8⤵
        System policy modification
        
        PID:2912
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\
        8⤵
        
        PID:1316
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\
        8⤵
        
        PID:1496
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\
        8⤵
        
        PID:2976
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\
        8⤵
        
        PID:1852
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\
        8⤵
        System policy modification
        
        PID:2740
        
        C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\
        8⤵
        System policy modification
        
        PID:1488
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\
        7⤵
        
        PID:936
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\
        8⤵
        
        PID:2680
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\
        8⤵
        
        PID:1296
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\update.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\update.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\
        8⤵
        
        PID:460
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\
        8⤵
        
        PID:2008
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\
        8⤵
        
        PID:1596
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\
        8⤵
        
        PID:2780
        
        C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\
        7⤵
        
        PID:2480
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\
        7⤵
        Modifies visibility of file extensions in Explorer
        System policy modification
        
        PID:1768
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\
        8⤵
        
        PID:1776
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\data.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\data.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\
        7⤵
        
        PID:1568
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\
        8⤵
        
        PID:880
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\
        8⤵
        System policy modification
        
        PID:2188
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\
        8⤵
        
        PID:1536
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\
        8⤵
        
        PID:956
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\
        8⤵
        
        PID:2704
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\
        8⤵
        
        PID:1080
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\
        7⤵
        Drops file in Program Files directory
        
        PID:1472
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\
        8⤵
        
        PID:2364
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\
        8⤵
        
        PID:2508
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\
        8⤵
        Drops file in Program Files directory
        
        PID:324
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2684
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\
        9⤵
        
        PID:2560
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\
        9⤵
        
        PID:2340
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\
        9⤵
        
        PID:2072
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\
        9⤵
        
        PID:1332
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\
        9⤵
        
        PID:992
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\
        9⤵
        System policy modification
        
        PID:3068
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2644
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\
        9⤵
        
        PID:2512
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\
        9⤵
        
        PID:1684
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\
        9⤵
        
        PID:2052
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\
        9⤵
        
        PID:2572
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.fr\
        9⤵
        
        PID:2708
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\
        9⤵
        
        PID:2752
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\
        9⤵
        System policy modification
        
        PID:2256
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\
        9⤵
        
        PID:1956
        
        C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\
        9⤵
        
        PID:2580
        
        C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\
        7⤵
        
        PID:2652
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\
        7⤵
        Drops file in Program Files directory
        System policy modification
        
        PID:1996
        
        C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\
        8⤵
        
        PID:2508
        
        C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\PROOF\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\PROOF\
        7⤵
        
        PID:2924
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\
        7⤵
        
        PID:2808
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\
        8⤵
        
        PID:1972
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\
        8⤵
        
        PID:2476
        
        C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\System Restore.exe" C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\
        9⤵
        
        PID:1280
        
        C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\Stationery\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\Stationery\
        7⤵
        
        PID:2152
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\
        7⤵
        
        PID:420
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\
        8⤵
        
        PID:520
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\
        8⤵
        
        PID:2156
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\
        8⤵
        
        PID:1720
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\
        8⤵
        
        PID:1204
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2160
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\
        7⤵
        Drops file in Program Files directory
        
        PID:1976
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\
        8⤵
        
        PID:3052
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\
        8⤵
        
        PID:2040
        
        C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\
        8⤵
        
        PID:1488
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\
        7⤵
        System policy modification
        
        PID:1576
        
        C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\backup.exe" C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\
        8⤵
        
        PID:580
      - C:\Program Files (x86)\Common Files\Services\backup.exe
        
        "C:\Program Files (x86)\Common Files\Services\backup.exe" C:\Program Files (x86)\Common Files\Services\
        6⤵
        
        PID:2068
      - C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\
        6⤵
        
        PID:1176
        
        C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe
        
        "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\backup.exe" C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\
        7⤵
        
        PID:2800
      - C:\Program Files (x86)\Common Files\System\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\backup.exe" C:\Program Files (x86)\Common Files\System\
        6⤵
        Drops file in Program Files directory
        
        PID:1356
        
        C:\Program Files (x86)\Common Files\System\ado\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\backup.exe" C:\Program Files (x86)\Common Files\System\ado\
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\ado\de-DE\
        8⤵
        
        PID:1900
        
        C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\ado\en-US\
        8⤵
        
        PID:2100
        
        C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\ado\es-ES\
        8⤵
        
        PID:2632
        
        C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\ado\fr-FR\
        8⤵
        
        PID:1512
        
        C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\ado\it-IT\
        8⤵
        
        PID:2388
        
        C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ado\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ado\ja-JP\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2588
        
        C:\Program Files (x86)\Common Files\System\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\de-DE\
        7⤵
        
        PID:2972
        
        C:\Program Files (x86)\Common Files\System\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\en-US\
        7⤵
        
        PID:1204
        
        C:\Program Files (x86)\Common Files\System\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\es-ES\
        7⤵
        
        PID:1724
        
        C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\fr-FR\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:476
        
        C:\Program Files (x86)\Common Files\System\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\it-IT\
        7⤵
        
        PID:3000
        
        C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\ja-JP\
        7⤵
        System policy modification
        
        PID:2620
        
        C:\Program Files (x86)\Common Files\System\msadc\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\
        7⤵
        
        PID:2440
        
        C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\de-DE\
        8⤵
        
        PID:840
        
        C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\en-US\
        8⤵
        
        PID:2084
        
        C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\es-ES\
        8⤵
        
        PID:2908
        
        C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\fr-FR\System Restore.exe" C:\Program Files (x86)\Common Files\System\msadc\fr-FR\
        8⤵
        System policy modification
        
        PID:2176
        
        C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\it-IT\
        8⤵
        
        PID:952
        
        C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\msadc\ja-JP\backup.exe" C:\Program Files (x86)\Common Files\System\msadc\ja-JP\
        8⤵
        
        PID:2896
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\
        7⤵
        Drops file in Program Files directory
        
        PID:540
        
        C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\MSMAPI\1033\backup.exe" C:\Program Files (x86)\Common Files\System\MSMAPI\1033\
        8⤵
        
        PID:680
        
        C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\
        7⤵
        Drops file in Program Files directory
        
        PID:2272
        
        C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\
        8⤵
        
        PID:2328
        
        C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\en-US\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1488
        
        C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\
        8⤵
        
        PID:1632
        
        C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\
        8⤵
        
        PID:2140
        
        C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\backup.exe" C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\
        8⤵
        
        PID:1608
        
        C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\data.exe
        
        "C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\data.exe" C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\
        8⤵
        
        PID:1964
    - - C:\Program Files (x86)\Google\backup.exe
        
        "C:\Program Files (x86)\Google\backup.exe" C:\Program Files (x86)\Google\
        5⤵
        
        PID:1028
      - C:\Program Files (x86)\Google\CrashReports\backup.exe
        
        "C:\Program Files (x86)\Google\CrashReports\backup.exe" C:\Program Files (x86)\Google\CrashReports\
        6⤵
        
        PID:2944
      - C:\Program Files (x86)\Google\Temp\data.exe
        
        "C:\Program Files (x86)\Google\Temp\data.exe" C:\Program Files (x86)\Google\Temp\
        6⤵
        
        PID:2212
      - C:\Program Files (x86)\Google\Update\backup.exe
        
        "C:\Program Files (x86)\Google\Update\backup.exe" C:\Program Files (x86)\Google\Update\
        6⤵
        
        PID:2796
        
        C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.151\backup.exe" C:\Program Files (x86)\Google\Update\1.3.36.151\
        7⤵
        
        PID:2152
        
        C:\Program Files (x86)\Google\Update\Download\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\backup.exe" C:\Program Files (x86)\Google\Update\Download\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\backup.exe" C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\
        9⤵
        
        PID:2288
        
        C:\Program Files (x86)\Google\Update\Install\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\backup.exe" C:\Program Files (x86)\Google\Update\Install\
        7⤵
        
        PID:2708
        
        C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\backup.exe" C:\Program Files (x86)\Google\Update\Install\{8EA3FE23-8E0B-4836-8777-C2D6ED0590DC}\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2948
        
        C:\Program Files (x86)\Google\Update\Offline\backup.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\backup.exe" C:\Program Files (x86)\Google\Update\Offline\
        7⤵
        
        PID:680
    - - C:\Program Files (x86)\Internet Explorer\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\update.exe" C:\Program Files (x86)\Internet Explorer\
        5⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:1096
      - C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\de-DE\backup.exe" C:\Program Files (x86)\Internet Explorer\de-DE\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2372
      - C:\Program Files (x86)\Internet Explorer\en-US\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\en-US\backup.exe" C:\Program Files (x86)\Internet Explorer\en-US\
        6⤵
        
        PID:2340
      - C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\es-ES\backup.exe" C:\Program Files (x86)\Internet Explorer\es-ES\
        6⤵
        
        PID:1820
      - C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\fr-FR\backup.exe" C:\Program Files (x86)\Internet Explorer\fr-FR\
        6⤵
        
        PID:1496
      - C:\Program Files (x86)\Internet Explorer\it-IT\update.exe
        
        "C:\Program Files (x86)\Internet Explorer\it-IT\update.exe" C:\Program Files (x86)\Internet Explorer\it-IT\
        6⤵
        
        PID:1380
      - C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\ja-JP\backup.exe" C:\Program Files (x86)\Internet Explorer\ja-JP\
        6⤵
        System policy modification
        
        PID:1572
      - C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe
        
        "C:\Program Files (x86)\Internet Explorer\SIGNUP\backup.exe" C:\Program Files (x86)\Internet Explorer\SIGNUP\
        6⤵
        
        PID:932
    - - C:\Program Files (x86)\Microsoft Analysis Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\
        5⤵
        
        PID:2576
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\
        6⤵
        Drops file in Program Files directory
        
        PID:1292
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\
        7⤵
        
        PID:2304
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\
        8⤵
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\backup.exe" C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\
        9⤵
        
        PID:1004
    - - C:\Program Files (x86)\Microsoft Office\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\backup.exe" C:\Program Files (x86)\Microsoft Office\
        5⤵
        Drops file in Program Files directory
        
        PID:2612
      - C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2884
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\
        7⤵
        
        PID:576
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\
        7⤵
        
        PID:1740
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\backup.exe" C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:1696
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\
        7⤵
        
        PID:2148
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\
        7⤵
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\backup.exe" C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\
        7⤵
        
        PID:2996
      - C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\
        6⤵
        System policy modification
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\
        7⤵
        
        PID:2976
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2856
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\
        7⤵
        
        PID:1496
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\
        8⤵
        
        PID:2312
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\
        8⤵
        
        PID:1304
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\
        8⤵
        
        PID:780
        
        C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\backup.exe" C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\
        8⤵
        
        PID:2356
      - C:\Program Files (x86)\Microsoft Office\Office14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\
        6⤵
        Drops file in Program Files directory
        
        PID:1036
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\
        7⤵
        
        PID:596
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\
        8⤵
        
        PID:2344
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\
        8⤵
        
        PID:1080
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\
        9⤵
        Drops file in Program Files directory
        
        PID:3016
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:856
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\update.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\update.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\
        10⤵
        
        PID:2056
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\
        10⤵
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\
        10⤵
        
        PID:1996
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1744
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\data.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\data.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\
        8⤵
        
        PID:328
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\
        8⤵
        
        PID:2188
        
        C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\
        8⤵
        
        PID:1792
        
        C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\1036\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\1036\
        7⤵
        
        PID:2512
        
        C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\3082\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\3082\
        7⤵
        
        PID:788
        
        C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\
        7⤵
        
        PID:1760
        
        C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\
        7⤵
        
        PID:2552
        
        C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2692
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\
        7⤵
        Drops file in Program Files directory
        
        PID:780
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\
        8⤵
        
        PID:2596
        
        C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\
        8⤵
        
        PID:2860
        
        C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\
        7⤵
        System policy modification
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\backup.exe" C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\
        7⤵
        
        PID:1932
      - C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Stationery\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\
        6⤵
        
        PID:2136
        
        C:\Program Files (x86)\Microsoft Office\Stationery\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Stationery\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Stationery\1033\
        7⤵
        
        PID:2156
      - C:\Program Files (x86)\Microsoft Office\Templates\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\
        6⤵
        
        PID:2996
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\
        7⤵
        Drops file in Program Files directory
        
        PID:2540
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\
        8⤵
        
        PID:2432
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\
        9⤵
        
        PID:108
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\
        9⤵
        
        PID:544
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\
        9⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\
        8⤵
        
        PID:1412
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\
        8⤵
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\
        9⤵
        Drops file in Program Files directory
        
        PID:2356
        
        C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2796
        
        C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\backup.exe
        
        "C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\backup.exe" C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\
        7⤵
        
        PID:2832
    - - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\
        5⤵
        
        PID:1924
      - C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\backup.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\
        6⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\update.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\update.exe" C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\
        7⤵
        
        PID:1596
    - - C:\Program Files (x86)\Microsoft Sync Framework\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\
        5⤵
        
        PID:1944
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\
        6⤵
        
        PID:2588
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\
        7⤵
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\update.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\update.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\
        8⤵
        
        PID:2004
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\
        9⤵
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\
        7⤵
        
        PID:2644
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\System Restore.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\System Restore.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\
        8⤵
        
        PID:1572
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\backup.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\
        9⤵
        
        PID:1952
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\data.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\data.exe" C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\
        10⤵
        
        PID:2980
    - - C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\
        5⤵
        
        PID:2656
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\
        6⤵
        
        PID:2500
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\backup.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\backup.exe" C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\
        7⤵
        
        PID:2712
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\
        5⤵
        
        PID:904
      - C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\update.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\update.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\
        6⤵
        
        PID:1316
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\
        7⤵
        
        PID:1176
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\
        8⤵
        
        PID:1640
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\
        8⤵
        
        PID:2900
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\
        8⤵
        System policy modification
        
        PID:616
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\
        9⤵
        
        PID:2184
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\
        11⤵
        
        PID:2252
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\data.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\data.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:460
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\
        7⤵
        
        PID:2248
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\
        8⤵
        
        PID:2172
      - C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\
        6⤵
        
        PID:1848
      - C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\
        7⤵
        
        PID:2380
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\backup.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\backup.exe" C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\
        8⤵
        
        PID:2140
    - - C:\Program Files (x86)\Microsoft.NET\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\backup.exe" C:\Program Files (x86)\Microsoft.NET\
        5⤵
        
        PID:916
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\backup.exe" C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\
        6⤵
        
        PID:576
      - C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\backup.exe" C:\Program Files (x86)\Microsoft.NET\RedistList\
        6⤵
        
        PID:1488
    - - C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\
        5⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Program Files directory
        
        PID:2296
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\backup.exe" C:\Program Files (x86)\Mozilla Maintenance Service\logs\
        6⤵
        
        PID:2556
    - - C:\Program Files (x86)\MSBuild\backup.exe
        
        "C:\Program Files (x86)\MSBuild\backup.exe" C:\Program Files (x86)\MSBuild\
        5⤵
        Drops file in Program Files directory
        
        PID:3036
  - - C:\Users\data.exe
      C:\Users\data.exe C:\Users\
      4⤵
      System Location Discovery: System Language Discovery
      PID:1788
    - - C:\Users\Admin\backup.exe
        
        C:\Users\Admin\backup.exe C:\Users\Admin\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:824
      - C:\Users\Admin\Contacts\backup.exe
        
        C:\Users\Admin\Contacts\backup.exe C:\Users\Admin\Contacts\
        6⤵
        
        PID:2468
      - C:\Users\Admin\Desktop\backup.exe
        
        C:\Users\Admin\Desktop\backup.exe C:\Users\Admin\Desktop\
        6⤵
        
        PID:2920
      - C:\Users\Admin\Documents\backup.exe
        
        C:\Users\Admin\Documents\backup.exe C:\Users\Admin\Documents\
        6⤵
        
        PID:1224
      - C:\Users\Admin\Downloads\backup.exe
        
        C:\Users\Admin\Downloads\backup.exe C:\Users\Admin\Downloads\
        6⤵
        System policy modification
        
        PID:2136
      - C:\Users\Admin\Favorites\backup.exe
        
        C:\Users\Admin\Favorites\backup.exe C:\Users\Admin\Favorites\
        6⤵
        
        PID:1944
      - C:\Users\Admin\Links\backup.exe
        
        C:\Users\Admin\Links\backup.exe C:\Users\Admin\Links\
        6⤵
        
        PID:2392
      - C:\Users\Admin\Music\backup.exe
        
        C:\Users\Admin\Music\backup.exe C:\Users\Admin\Music\
        6⤵
        
        PID:1512
      - C:\Users\Admin\Pictures\backup.exe
        
        C:\Users\Admin\Pictures\backup.exe C:\Users\Admin\Pictures\
        6⤵
        
        PID:2576
      - C:\Users\Admin\Saved Games\backup.exe
        
        "C:\Users\Admin\Saved Games\backup.exe" C:\Users\Admin\Saved Games\
        6⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:1764
      - C:\Users\Admin\Searches\backup.exe
        
        C:\Users\Admin\Searches\backup.exe C:\Users\Admin\Searches\
        6⤵
        
        PID:2352
      - C:\Users\Admin\Videos\backup.exe
        
        C:\Users\Admin\Videos\backup.exe C:\Users\Admin\Videos\
        6⤵
        
        PID:2192
    - - C:\Users\Public\backup.exe
        
        C:\Users\Public\backup.exe C:\Users\Public\
        5⤵
        
        PID:944
      - C:\Users\Public\Documents\backup.exe
        
        C:\Users\Public\Documents\backup.exe C:\Users\Public\Documents\
        6⤵
        
        PID:2588
      - C:\Users\Public\Downloads\backup.exe
        
        C:\Users\Public\Downloads\backup.exe C:\Users\Public\Downloads\
        6⤵
        
        PID:1432
      - C:\Users\Public\Music\data.exe
        
        C:\Users\Public\Music\data.exe C:\Users\Public\Music\
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Public\Music\Sample Music\System Restore.exe
        
        "C:\Users\Public\Music\Sample Music\System Restore.exe" C:\Users\Public\Music\Sample Music\
        7⤵
        
        PID:1736
      - C:\Users\Public\Pictures\backup.exe
        
        C:\Users\Public\Pictures\backup.exe C:\Users\Public\Pictures\
        6⤵
        
        PID:1552
        
        C:\Users\Public\Pictures\Sample Pictures\backup.exe
        
        "C:\Users\Public\Pictures\Sample Pictures\backup.exe" C:\Users\Public\Pictures\Sample Pictures\
        7⤵
        
        PID:2612
      - C:\Users\Public\Recorded TV\backup.exe
        
        "C:\Users\Public\Recorded TV\backup.exe" C:\Users\Public\Recorded TV\
        6⤵
        
        PID:1516
        
        C:\Users\Public\Recorded TV\Sample Media\backup.exe
        
        "C:\Users\Public\Recorded TV\Sample Media\backup.exe" C:\Users\Public\Recorded TV\Sample Media\
        7⤵
        
        PID:2780
      - C:\Users\Public\Videos\backup.exe
        
        C:\Users\Public\Videos\backup.exe C:\Users\Public\Videos\
        6⤵
        
        PID:2988
        
        C:\Users\Public\Videos\Sample Videos\backup.exe
        
        "C:\Users\Public\Videos\Sample Videos\backup.exe" C:\Users\Public\Videos\Sample Videos\
        7⤵
        
        PID:2668
  - - C:\Windows\backup.exe
      C:\Windows\backup.exe C:\Windows\
      4⤵
      Drops file in Windows directory
      PID:1908
    - - C:\Windows\addins\System Restore.exe
        
        "C:\Windows\addins\System Restore.exe" C:\Windows\addins\
        5⤵
        Modifies visibility of file extensions in Explorer
        
        PID:476
    - - C:\Windows\AppCompat\backup.exe
        
        C:\Windows\AppCompat\backup.exe C:\Windows\AppCompat\
        5⤵
        
        PID:1732
    - - C:\Windows\AppPatch\backup.exe
        
        C:\Windows\AppPatch\backup.exe C:\Windows\AppPatch\
        5⤵
        Drops file in Windows directory
        
        PID:1476
      - C:\Windows\AppPatch\AppPatch64\backup.exe
        
        C:\Windows\AppPatch\AppPatch64\backup.exe C:\Windows\AppPatch\AppPatch64\
        6⤵
        
        PID:2272
      - C:\Windows\AppPatch\Custom\backup.exe
        
        C:\Windows\AppPatch\Custom\backup.exe C:\Windows\AppPatch\Custom\
        6⤵
        
        PID:2796
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe
        
        C:\Windows\AppPatch\Custom\Custom64\backup.exe C:\Windows\AppPatch\Custom\Custom64\
        7⤵
        
        PID:1304
      - C:\Windows\AppPatch\de-DE\backup.exe
        
        C:\Windows\AppPatch\de-DE\backup.exe C:\Windows\AppPatch\de-DE\
        6⤵
        
        PID:1364
      - C:\Windows\AppPatch\en-US\backup.exe
        
        C:\Windows\AppPatch\en-US\backup.exe C:\Windows\AppPatch\en-US\
        6⤵
        
        PID:552
      - C:\Windows\AppPatch\es-ES\backup.exe
        
        C:\Windows\AppPatch\es-ES\backup.exe C:\Windows\AppPatch\es-ES\
        6⤵
        
        PID:2300
      - C:\Windows\AppPatch\fr-FR\backup.exe
        
        C:\Windows\AppPatch\fr-FR\backup.exe C:\Windows\AppPatch\fr-FR\
        6⤵
        
        PID:2280
      - C:\Windows\AppPatch\it-IT\backup.exe
        
        C:\Windows\AppPatch\it-IT\backup.exe C:\Windows\AppPatch\it-IT\
        6⤵
        System policy modification
        
        PID:2304
      - C:\Windows\AppPatch\ja-JP\backup.exe
        
        C:\Windows\AppPatch\ja-JP\backup.exe C:\Windows\AppPatch\ja-JP\
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2288
    - - C:\Windows\assembly\data.exe
        
        C:\Windows\assembly\data.exe C:\Windows\assembly\
        5⤵
        Drops file in Windows directory
        
        PID:1120
      - C:\Windows\assembly\GAC\backup.exe
        
        C:\Windows\assembly\GAC\backup.exe C:\Windows\assembly\GAC\
        6⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2100
        
        C:\Windows\assembly\GAC\ADODB\update.exe
        
        C:\Windows\assembly\GAC\ADODB\update.exe C:\Windows\assembly\GAC\ADODB\
        7⤵
        
        PID:1976
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2296
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\backup.exe C:\Windows\assembly\GAC\Extensibility\
        7⤵
        
        PID:2688
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        System policy modification
        
        PID:2576
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\
        7⤵
        Drops file in Windows directory
        
        PID:1616
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\
        8⤵
        
        PID:2992
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\
        8⤵
        
        PID:2980
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\
        7⤵
        
        PID:2588
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2928
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\
        7⤵
        
        PID:324
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1668
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\backup.exe C:\Windows\assembly\GAC\mscomctl\
        7⤵
        
        PID:2800
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\
        8⤵
        
        PID:2728
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\backup.exe C:\Windows\assembly\GAC\MSDATASRC\
        7⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2712
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1608
        
        C:\Windows\assembly\GAC\stdole\backup.exe
        
        C:\Windows\assembly\GAC\stdole\backup.exe C:\Windows\assembly\GAC\stdole\
        7⤵
        Drops file in Windows directory
        
        PID:2924
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\update.exe
        
        C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\update.exe C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1844
      - C:\Windows\assembly\GAC_32\backup.exe
        
        C:\Windows\assembly\GAC_32\backup.exe C:\Windows\assembly\GAC_32\
        6⤵
        Drops file in Windows directory
        
        PID:1600
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\System Restore.exe" C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\
        7⤵
        
        PID:3016
        
        C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\System Restore.exe" C:\Windows\assembly\GAC_32\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2876
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:1944
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2572
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\
        7⤵
        
        PID:1848
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2164
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\
        7⤵
        
        PID:2812
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:928
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\
        7⤵
        
        PID:2196
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\
        7⤵
        
        PID:2348
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2240
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:700
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2920
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        7⤵
        Drops file in Windows directory
        
        PID:2948
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2296
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_en_31bf3856ad364e35\
        8⤵
        
        PID:736
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_es_31bf3856ad364e35\
        8⤵
        
        PID:680
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\System Restore.exe
        
        "C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\System Restore.exe" C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_fr_31bf3856ad364e35\
        8⤵
        
        PID:940
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_it_31bf3856ad364e35\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_ja_31bf3856ad364e35\
        8⤵
        
        PID:1532
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\
        7⤵
        
        PID:2904
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.Interop\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2212
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\
        7⤵
        
        PID:2140
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1724
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\
        7⤵
        
        PID:2496
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1920
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\
        7⤵
        
        PID:2936
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.Access.BusinessDataCatalog\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:2748
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\
        7⤵
        
        PID:2044
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.BusinessData\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:1300
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\
        7⤵
        
        PID:2716
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\
        8⤵
        
        PID:2384
        
        C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe
        
        C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\backup.exe C:\Windows\assembly\GAC_32\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\
        7⤵
        Drops file in Windows directory
        
        PID:2784
      - C:\Windows\assembly\GAC_64\backup.exe
        
        C:\Windows\assembly\GAC_64\backup.exe C:\Windows\assembly\GAC_64\
        6⤵
        Drops file in Windows directory
        
        PID:2968
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\backup.exe
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\backup.exe C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\
        7⤵
        Drops file in Windows directory
        
        PID:2100
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\AuditPolicyGPManagedStubs.Interop\6.1.0.0__31bf3856ad364e35\
        8⤵
        System policy modification
        
        PID:2952
        
        C:\Windows\assembly\GAC_64\BDATunePIA\backup.exe
        
        C:\Windows\assembly\GAC_64\BDATunePIA\backup.exe C:\Windows\assembly\GAC_64\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:2964
        
        C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\BDATunePIA\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2704
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\
        7⤵
        
        PID:2992
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2284
        
        C:\Windows\assembly\GAC_64\ISymWrapper\System Restore.exe
        
        "C:\Windows\assembly\GAC_64\ISymWrapper\System Restore.exe" C:\Windows\assembly\GAC_64\ISymWrapper\
        7⤵
        
        PID:2828
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:1248
        
        C:\Windows\assembly\GAC_64\mcstoredb\backup.exe
        
        C:\Windows\assembly\GAC_64\mcstoredb\backup.exe C:\Windows\assembly\GAC_64\mcstoredb\
        7⤵
        
        PID:2380
        
        C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\mcstoredb\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2960
        
        C:\Windows\assembly\GAC_64\mcupdate\System Restore.exe
        
        "C:\Windows\assembly\GAC_64\mcupdate\System Restore.exe" C:\Windows\assembly\GAC_64\mcupdate\
        7⤵
        Drops file in Windows directory
        
        PID:812
        
        C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:2152
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\backup.exe
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\backup.exe C:\Windows\assembly\GAC_64\Mcx2Dvcs\
        7⤵
        Drops file in Windows directory
        
        PID:2852
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Mcx2Dvcs\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1576
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\6.1.0.0__31bf3856ad364e35\
        8⤵
        
        PID:1264
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\
        7⤵
        Modifies visibility of file extensions in Explorer
        Drops file in Windows directory
        
        PID:2600
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe
        
        C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\backup.exe C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\6.1.0.0_de_31bf3856ad364e35\
        8⤵
        
        PID:2704
      - C:\Windows\assembly\GAC_MSIL\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\backup.exe C:\Windows\assembly\GAC_MSIL\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:2880
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\
        7⤵
        System policy modification
        
        PID:3052
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2452
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\
        7⤵
        
        PID:1668
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:584
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\
        7⤵
        
        PID:1932
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2656
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\
        7⤵
        
        PID:2960
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\backup.exe C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\
        8⤵
        
        PID:2024
        
        C:\Windows\assembly\GAC_MSIL\ehCIR\backup.exe
        
        C:\Windows\assembly\GAC_MSIL\ehCIR\backup.exe C:\Windows\assembly\GAC_MSIL\ehCIR\
        7⤵
        Drops file in Windows directory
        
        PID:1068
      - C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\
        6⤵
        System policy modification
        
        PID:3004
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\
        7⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\9859a6e0562f64eacfb8ad76f260a2d6\
        8⤵
        
        PID:1412
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\
        7⤵
        Drops file in Windows directory
        
        PID:1804
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\a0a453714c9ec8d6954490f711f5158a\
        8⤵
        
        PID:2608
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\
        7⤵
        Drops file in Windows directory
        
        PID:2580
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\BDATunePIA\2823d3be9334fea94dce8001b247589b\
        8⤵
        
        PID:1820
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\
        7⤵
        
        PID:2920
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\
        8⤵
        
        PID:2892
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\
        7⤵
        
        PID:1752
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\
        8⤵
        
        PID:2432
      - C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\
        6⤵
        Drops file in Windows directory
        
        PID:1736
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\
        7⤵
        Drops file in Windows directory
        
        PID:2228
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_64\Accessibility\b03641c39929ad202f0c3a9a64b93d86\
        8⤵
        
        PID:2732
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\
        7⤵
        
        PID:2652
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\System Restore.exe
        
        "C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\System Restore.exe" C:\Windows\assembly\NativeImages_v2.0.50727_64\AuditPolicyGPManage#\ce8c100b866ac8facc1902286aede990\
        8⤵
        
        PID:264
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\
        7⤵
        
        PID:788
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\backup.exe
        
        C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\backup.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\13385391832b7c36af9306baeb570e57\
        8⤵
        
        PID:2492
      - C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\
        6⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\
        7⤵
        Drops file in Windows directory
        
        PID:1844
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\bbbbd997a1621cf1e739f922fe653459\
        8⤵
        
        PID:2612
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\
        7⤵
        
        PID:2476
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_32\AspNetMMCExt\5857dbc9f0d3cb3364728ec72497ece9\
        8⤵
        
        PID:2876
      - C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1956
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\backup.exe
        
        C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\backup.exe C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\
        7⤵
        
        PID:2228
    - - C:\Windows\Branding\backup.exe
        
        C:\Windows\Branding\backup.exe C:\Windows\Branding\
        5⤵
        
        PID:2336
      - C:\Windows\Branding\Basebrd\backup.exe
        
        C:\Windows\Branding\Basebrd\backup.exe C:\Windows\Branding\Basebrd\
        6⤵
        Drops file in Windows directory
        
        PID:1764
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe
        
        C:\Windows\Branding\Basebrd\de-DE\backup.exe C:\Windows\Branding\Basebrd\de-DE\
        7⤵
        
        PID:3052
        
        C:\Windows\Branding\Basebrd\en-US\data.exe
        
        C:\Windows\Branding\Basebrd\en-US\data.exe C:\Windows\Branding\Basebrd\en-US\
        7⤵
        
        PID:2580
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe
        
        C:\Windows\Branding\Basebrd\es-ES\backup.exe C:\Windows\Branding\Basebrd\es-ES\
        7⤵
        
        PID:2284
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe
        
        C:\Windows\Branding\Basebrd\fr-FR\backup.exe C:\Windows\Branding\Basebrd\fr-FR\
        7⤵
        
        PID:744
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe
        
        C:\Windows\Branding\Basebrd\it-IT\backup.exe C:\Windows\Branding\Basebrd\it-IT\
        7⤵
        
        PID:536
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe
        
        C:\Windows\Branding\Basebrd\ja-JP\backup.exe C:\Windows\Branding\Basebrd\ja-JP\
        7⤵
        
        PID:1776
      - C:\Windows\Branding\ShellBrd\System Restore.exe
        
        "C:\Windows\Branding\ShellBrd\System Restore.exe" C:\Windows\Branding\ShellBrd\
        6⤵
        
        PID:2644
    - - C:\Windows\CSC\backup.exe
        
        C:\Windows\CSC\backup.exe C:\Windows\CSC\
        5⤵
        
        PID:2160
    - - C:\Windows\Cursors\backup.exe
        
        C:\Windows\Cursors\backup.exe C:\Windows\Cursors\
        5⤵
        
        PID:1380
    - - C:\Windows\debug\backup.exe
        
        C:\Windows\debug\backup.exe C:\Windows\debug\
        5⤵
        Drops file in Windows directory
        
        PID:1784
      - C:\Windows\debug\WIA\backup.exe
        
        C:\Windows\debug\WIA\backup.exe C:\Windows\debug\WIA\
        6⤵
        System policy modification
        
        PID:2952
    - - C:\Windows\de-DE\backup.exe
        
        C:\Windows\de-DE\backup.exe C:\Windows\de-DE\
        5⤵
        
        PID:928
    - - C:\Windows\DigitalLocker\backup.exe
        
        C:\Windows\DigitalLocker\backup.exe C:\Windows\DigitalLocker\
        5⤵
        Drops file in Windows directory
        
        PID:2024
      - C:\Windows\DigitalLocker\de-DE\backup.exe
        
        C:\Windows\DigitalLocker\de-DE\backup.exe C:\Windows\DigitalLocker\de-DE\
        6⤵
        
        PID:2008
      - C:\Windows\DigitalLocker\en-US\backup.exe
        
        C:\Windows\DigitalLocker\en-US\backup.exe C:\Windows\DigitalLocker\en-US\
        6⤵
        
        PID:2448
      - C:\Windows\DigitalLocker\es-ES\backup.exe
        
        C:\Windows\DigitalLocker\es-ES\backup.exe C:\Windows\DigitalLocker\es-ES\
        6⤵
        
        PID:2856
      - C:\Windows\DigitalLocker\fr-FR\backup.exe
        
        C:\Windows\DigitalLocker\fr-FR\backup.exe C:\Windows\DigitalLocker\fr-FR\
        6⤵
        
        PID:932
      - C:\Windows\DigitalLocker\it-IT\backup.exe
        
        C:\Windows\DigitalLocker\it-IT\backup.exe C:\Windows\DigitalLocker\it-IT\
        6⤵
        System policy modification
        
        PID:2296
      - C:\Windows\DigitalLocker\ja-JP\backup.exe
        
        C:\Windows\DigitalLocker\ja-JP\backup.exe C:\Windows\DigitalLocker\ja-JP\
        6⤵
        
        PID:2672
    - - C:\Windows\Downloaded Program Files\backup.exe
        
        "C:\Windows\Downloaded Program Files\backup.exe" C:\Windows\Downloaded Program Files\
        5⤵
        
        PID:1204
    - - C:\Windows\ehome\System Restore.exe
        
        "C:\Windows\ehome\System Restore.exe" C:\Windows\ehome\
        5⤵
        Drops file in Windows directory
        
        PID:2180
      - C:\Windows\ehome\CreateDisc\backup.exe
        
        C:\Windows\ehome\CreateDisc\backup.exe C:\Windows\ehome\CreateDisc\
        6⤵
        Drops file in Windows directory
        System policy modification
        
        PID:1800
        
        C:\Windows\ehome\CreateDisc\Components\backup.exe
        
        C:\Windows\ehome\CreateDisc\Components\backup.exe C:\Windows\ehome\CreateDisc\Components\
        7⤵
        Drops file in Windows directory
        
        PID:2000
        
        C:\Windows\ehome\CreateDisc\Components\tables\backup.exe
        
        C:\Windows\ehome\CreateDisc\Components\tables\backup.exe C:\Windows\ehome\CreateDisc\Components\tables\
        8⤵
        
        PID:744
        
        C:\Windows\ehome\CreateDisc\Filters\backup.exe
        
        C:\Windows\ehome\CreateDisc\Filters\backup.exe C:\Windows\ehome\CreateDisc\Filters\
        7⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2992
        
        C:\Windows\ehome\CreateDisc\SFXPlugins\update.exe
        
        C:\Windows\ehome\CreateDisc\SFXPlugins\update.exe C:\Windows\ehome\CreateDisc\SFXPlugins\
        7⤵
        
        PID:2096
        
        C:\Windows\ehome\CreateDisc\SonicResources\backup.exe
        
        C:\Windows\ehome\CreateDisc\SonicResources\backup.exe C:\Windows\ehome\CreateDisc\SonicResources\
        7⤵
        
        PID:1572
      - C:\Windows\ehome\de-DE\data.exe
        
        C:\Windows\ehome\de-DE\data.exe C:\Windows\ehome\de-DE\
        6⤵
        
        PID:2640
      - C:\Windows\ehome\en-US\backup.exe
        
        C:\Windows\ehome\en-US\backup.exe C:\Windows\ehome\en-US\
        6⤵
        
        PID:2652
      - C:\Windows\ehome\es-ES\backup.exe
        
        C:\Windows\ehome\es-ES\backup.exe C:\Windows\ehome\es-ES\
        6⤵
        
        PID:780
    - - C:\Windows\en-US\backup.exe
        
        C:\Windows\en-US\backup.exe C:\Windows\en-US\
        5⤵
        
        PID:2696
    - - C:\Windows\es-ES\backup.exe
        
        C:\Windows\es-ES\backup.exe C:\Windows\es-ES\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
    - - C:\Windows\Fonts\backup.exe
        
        C:\Windows\Fonts\backup.exe C:\Windows\Fonts\
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
- C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe
  C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\backup.exe C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\Low\backup.exe
  C:\Users\Admin\AppData\Local\Temp\Low\backup.exe C:\Users\Admin\AppData\Local\Temp\Low\
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe
  C:\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb07b84d53fabc90\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb07b84d53fabc90\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb07b84d53fabc90\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0b45804490d366e\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0b45804490d366e\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.windows.d..ackmodule.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0b45804490d366e\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:564
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6997af2ce08929c3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6997af2ce08929c3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6997af2ce08929c3\
      4⤵
      Modifies visibility of file extensions in Explorer
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bc8c2f4dd77ad5d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bc8c2f4dd77ad5d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bc8c2f4dd77ad5d\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cea9abf2aa5aade0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cea9abf2aa5aade0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cea9abf2aa5aade0\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:916
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e647d3561f1a23f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e647d3561f1a23f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e647d3561f1a23f\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666db9f744c2fe32\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666db9f744c2fe32\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-oleaccrc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_666db9f744c2fe32\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752d0cbaec4d2602\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752d0cbaec4d2602\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..an-plugin.resources_31bf3856ad364e35_6.1.7600.16385_es-es_752d0cbaec4d2602\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:596
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1bd08351e8ce9b27\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1bd08351e8ce9b27\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1bd08351e8ce9b27\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ba94e0c25823534\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ba94e0c25823534\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ba94e0c25823534\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_82946e72e9a0f858\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_82946e72e9a0f858\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..eercollab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_82946e72e9a0f858\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bb9e8ac791f378c2\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bb9e8ac791f378c2\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..etoolsgui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bb9e8ac791f378c2\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ginworker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8528f348e3c62c8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ginworker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8528f348e3c62c8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ginworker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8528f348e3c62c8\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c216849e273364de\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c216849e273364de\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c216849e273364de\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:928
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_48fdf3dda88a41a7\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_48fdf3dda88a41a7\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ll-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_48fdf3dda88a41a7\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6812bc1115156b5\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6812bc1115156b5\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..l-message.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6812bc1115156b5\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d8f9821ec01add2\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d8f9821ec01add2\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d8f9821ec01add2\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc89231e8251fb4a\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc89231e8251fb4a\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..noverride.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc89231e8251fb4a\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e15878ebc71c5fe4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e15878ebc71c5fe4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..opeerbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e15878ebc71c5fe4\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_011040f9ee765307\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_011040f9ee765307\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_011040f9ee765307\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:856
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6fe5e61c4685e4b\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6fe5e61c4685e4b\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a6fe5e61c4685e4b\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af413ca6832fc368\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af413ca6832fc368\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ssettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af413ca6832fc368\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d0a69f7829d7102a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d0a69f7829d7102a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..st-common.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d0a69f7829d7102a\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cb31547d0a230c7b\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16cbdc9a16d6af9e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16cbdc9a16d6af9e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-p..ystem-web.resources_31bf3856ad364e35_6.1.7600.16385_es-es_16cbdc9a16d6af9e\
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-pcw.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc7e99f755d0ebd0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-pcw.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc7e99f755d0ebd0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-pcw.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fc7e99f755d0ebd0\
      4⤵
      System policy modification
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_76d9b9f1825db588\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_76d9b9f1825db588\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-peerdist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_76d9b9f1825db588\
      4⤵
      PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-processmodel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ab6e7d35d9d73cda\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-processmodel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ab6e7d35d9d73cda\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-processmodel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ab6e7d35d9d73cda\
      4⤵
      PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-qos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a177a4cbfc90dfaf\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-qos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a177a4cbfc90dfaf\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-qos.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a177a4cbfc90dfaf\
      4⤵
      PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_40087fef6e827989\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_40087fef6e827989\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..comserver.resources_31bf3856ad364e35_6.1.7600.16385_es-es_40087fef6e827989\
      4⤵
      PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_60e635d950f7faef\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_60e635d950f7faef\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..ry-editor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_60e635d950f7faef\
      4⤵
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f253f179ff19dda1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f253f179ff19dda1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-r..tance-exe.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f253f179ff19dda1\
      4⤵
      System Location Discovery: System Language Discovery
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c42c8a2303da16f1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c42c8a2303da16f1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-rasbase.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c42c8a2303da16f1\
      4⤵
      PID:536
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-rasctrs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_264375172c48afbe\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-rasctrs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_264375172c48afbe\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-rasctrs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_264375172c48afbe\
      4⤵
      PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_es-es_97f172a850c09f2e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_es-es_97f172a850c09f2e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_es-es_97f172a850c09f2e\
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..iveengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ad19eb071e62d0c6\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..iveengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ad19eb071e62d0c6\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..iveengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ad19eb071e62d0c6\
      4⤵
      PID:2364
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5efaea1b49bb296e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5efaea1b49bb296e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-s..ty-spp-ux.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5efaea1b49bb296e\
      4⤵
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fe014b662e811c50\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fe014b662e811c50\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-shsvcs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_fe014b662e811c50\
      4⤵
      PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb7cd094ac29a2f\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb7cd094ac29a2f\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-storprop.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2eb7cd094ac29a2f\
      4⤵
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66e35691216ba50e\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66e35691216ba50e\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..nputpanel.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66e35691216ba50e\
      4⤵
      PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b70f499390d53a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b70f499390d53a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b70f499390d53a\
      4⤵
      PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7601.17514_es-es_04e82311907f58d4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7601.17514_es-es_04e82311907f58d4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7601.17514_es-es_04e82311907f58d4\
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7776eb9a9675ceba\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7776eb9a9675ceba\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7776eb9a9675ceba\
      4⤵
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..utcontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e2636f1c14c7eed\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..utcontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e2636f1c14c7eed\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-t..utcontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5e2636f1c14c7eed\
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ffd1c0faa410a61\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ffd1c0faa410a61\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ffd1c0faa410a61\
      4⤵
      PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7096e79d772dfa5e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7096e79d772dfa5e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7096e79d772dfa5e\
      4⤵
      PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-uianimation.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d9d287e296ac760\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-uianimation.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d9d287e296ac760\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-uianimation.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3d9d287e296ac760\
      4⤵
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3395ad7f386e0060\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3395ad7f386e0060\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-uiribbon.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3395ad7f386e0060\
      4⤵
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-usbperf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3fcf8d6d6ee35afb\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-usbperf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3fcf8d6d6ee35afb\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-usbperf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3fcf8d6d6ee35afb\
      4⤵
      PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a412f0a77955f454\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a412f0a77955f454\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a412f0a77955f454\
      4⤵
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a644046f764477ee\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a644046f764477ee\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-user32.resources_31bf3856ad364e35_6.1.7601.17514_es-es_a644046f764477ee\
      4⤵
      PID:1096
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_286cc39e0155cd8e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_286cc39e0155cd8e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..eocontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_286cc39e0155cd8e\
      4⤵
      PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-v..lpc-vmsal.resources_31bf3856ad364e35_7.1.7601.17514_es-es_d44d8fd5b93ba0a5\
      4⤵
      PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.3.7600.16385_es-es_966739ca6f90f755\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.3.7600.16385_es-es_966739ca6f90f755\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.3.7600.16385_es-es_966739ca6f90f755\
      4⤵
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.5.7601.17514_es-es_28f5e81baa162d31\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.5.7601.17514_es-es_28f5e81baa162d31\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_7.5.7601.17514_es-es_28f5e81baa162d31\
      4⤵
      PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbeb18096188fc4e\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbeb18096188fc4e\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dbeb18096188fc4e\
      4⤵
      PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b379b64eac772036\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b379b64eac772036\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-win32k.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b379b64eac772036\
      4⤵
      PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3de389e52a4b2f3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3de389e52a4b2f3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-winsrv.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3de389e52a4b2f3\
      4⤵
      PID:2240
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3da82d7e4539cf8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3da82d7e4539cf8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wlansvc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a3da82d7e4539cf8\
      4⤵
      System policy modification
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3adc871815e17973\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3adc871815e17973\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3adc871815e17973\
      4⤵
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_3d0d9ae012cffd0d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_3d0d9ae012cffd0d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core.resources_31bf3856ad364e35_6.1.7601.17514_es-es_3d0d9ae012cffd0d\
      4⤵
      PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f2bd40f77a8b614c\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f2bd40f77a8b614c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f2bd40f77a8b614c\
      4⤵
      PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cadf6c686ed8facd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cadf6c686ed8facd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wmpnss-api.resources_31bf3856ad364e35_6.1.7600.16385_es-es_cadf6c686ed8facd\
      4⤵
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wow64.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e3dbfce67c50e1d5\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wow64.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e3dbfce67c50e1d5\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-wow64.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e3dbfce67c50e1d5\
      4⤵
      PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_security-malware-wi..-defender.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f76b1c91df26b7b5\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_security-malware-wi..-defender.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f76b1c91df26b7b5\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_security-malware-wi..-defender.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f76b1c91df26b7b5\
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_security-malware-wi..er-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4d31740567f07db\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_security-malware-wi..er-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4d31740567f07db\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_security-malware-wi..er-events.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4d31740567f07db\
      4⤵
      System policy modification
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a2303b71b4db415\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a2303b71b4db415\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_subsystem-for-unix-..lications.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8a2303b71b4db415\
      4⤵
      PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_es-es_1e7ba14b6256e51c\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_es-es_1e7ba14b6256e51c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_windowssearchengine.resources_31bf3856ad364e35_7.0.7600.16385_es-es_1e7ba14b6256e51c\
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_ddores.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c0da4d2d25e737f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_ddores.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c0da4d2d25e737f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_ddores.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5c0da4d2d25e737f\
      4⤵
      PID:308
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3c084c8b3b53ea89\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3c084c8b3b53ea89\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_desktop_shell-gettingstarted.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3c084c8b3b53ea89\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_desktop_shell-search-srchadmin.resources_31bf3856ad364e35_7.0.7600.16385_es-es_24075b280aaf0844\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_desktop_shell-search-srchadmin.resources_31bf3856ad364e35_7.0.7600.16385_es-es_24075b280aaf0844\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_desktop_shell-search-srchadmin.resources_31bf3856ad364e35_7.0.7600.16385_es-es_24075b280aaf0844\
      4⤵
      System policy modification
      PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_devicepairingproxy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8078f29b7712beb8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_devicepairingproxy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8078f29b7712beb8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_devicepairingproxy.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8078f29b7712beb8\
      4⤵
      PID:936
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1dd7c4f15bba462e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1dd7c4f15bba462e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_ds-ui-ext.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1dd7c4f15bba462e\
      4⤵
      PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_96d3a57ef55ee681\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_96d3a57ef55ee681\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_eventviewersettings.resources_31bf3856ad364e35_6.1.7600.16385_es-es_96d3a57ef55ee681\
      4⤵
      PID:1120
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ddd9269e1e33a4d0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ddd9269e1e33a4d0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_fundisc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_ddd9269e1e33a4d0\
      4⤵
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_654443034cacf513\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_654443034cacf513\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_es-es_654443034cacf513\
      4⤵
      PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_infocard.resources_b77a5c561934e089_6.1.7600.16385_es-es_64111c685385404d\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_infocard.resources_b77a5c561934e089_6.1.7600.16385_es-es_64111c685385404d\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_infocard.resources_b77a5c561934e089_6.1.7600.16385_es-es_64111c685385404d\
      4⤵
      PID:788
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_0104362cfbfc75f8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_0104362cfbfc75f8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.activedir..anagement.resources_31bf3856ad364e35_6.1.7601.17514_es-es_0104362cfbfc75f8\
      4⤵
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_es-es_06b0aff4812e0713\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_es-es_06b0aff4812e0713\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..commands2.resources_31bf3856ad364e35_6.1.7601.17514_es-es_06b0aff4812e0713\
      4⤵
      PID:880
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8c7510e3977de711\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8c7510e3977de711\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..mpleditor.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8c7510e3977de711\
      4⤵
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8619da5aaca7159d\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8619da5aaca7159d\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.grouppoli..t.interop.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8619da5aaca7159d\
      4⤵
      PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_bafec12d4851775e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_bafec12d4851775e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..dfsresmui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_bafec12d4851775e\
      4⤵
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ddfd2b152f222a41\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ddfd2b152f222a41\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..fsrhelper.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ddfd2b152f222a41\
      4⤵
      PID:812
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_7c172be2434c60cd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_7c172be2434c60cd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..rshostmui.resources_31bf3856ad364e35_6.1.7601.17514_es-es_7c172be2434c60cd\
      4⤵
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_es-es_85ea0e242131cffe\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_es-es_85ea0e242131cffe\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.remotefil..t-console.resources_31bf3856ad364e35_6.1.7601.17514_es-es_85ea0e242131cffe\
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a7c8d974eb72672e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a7c8d974eb72672e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.security...icyengine.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a7c8d974eb72672e\
      4⤵
      PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_es-es_01ced58c9942ae67\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_es-es_01ced58c9942ae67\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_es-es_01ced58c9942ae67\
      4⤵
      PID:2448
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_es-es_57e82fa3584ccf8e\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_es-es_57e82fa3584ccf8e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_es-es_57e82fa3584ccf8e\
      4⤵
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft.windows.winhttp.resources_31bf3856ad364e35_6.0.7600.16385_es-es_3d0cf71ea727ac84\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:916
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-activedir..helpfiles.resources_31bf3856ad364e35_6.1.7601.17514_es-es_200065a48bacaab1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-activedir..helpfiles.resources_31bf3856ad364e35_6.1.7601.17514_es-es_200065a48bacaab1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-activedir..helpfiles.resources_31bf3856ad364e35_6.1.7601.17514_es-es_200065a48bacaab1\
      4⤵
      PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-hyper-v-g..installer.resources_31bf3856ad364e35_6.1.7601.17514_es-es_69aacb97cf225f70\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-hyper-v-g..installer.resources_31bf3856ad364e35_6.1.7601.17514_es-es_69aacb97cf225f70\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-hyper-v-g..installer.resources_31bf3856ad364e35_6.1.7601.17514_es-es_69aacb97cf225f70\
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-storage-s..mc-native.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c6e0a84c2b680eec\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-storage-s..mc-native.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c6e0a84c2b680eec\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-storage-s..mc-native.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c6e0a84c2b680eec\
      4⤵
      System Location Discovery: System Language Discovery
      PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5984b52a377588d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5984b52a377588d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c5984b52a377588d\
      4⤵
      PID:324
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_243046817bd81e3d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_243046817bd81e3d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..audiocore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_243046817bd81e3d\
      4⤵
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..bilitycpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_696e13bb3ff14528\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..bilitycpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_696e13bb3ff14528\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..bilitycpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_696e13bb3ff14528\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:860
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7e524572c62fe1c\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7e524572c62fe1c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ce-router.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c7e524572c62fe1c\
      4⤵
      System policy modification
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cd279a554d50be\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cd279a554d50be\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_es-es_69cd279a554d50be\
      4⤵
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_85bfe66ff35583fd\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_85bfe66ff35583fd\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_6.1.7600.16385_es-es_85bfe66ff35583fd\
      4⤵
      PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59509e966577143c\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59509e966577143c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_59509e966577143c\
      4⤵
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4b365269fbcf9352\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4b365269fbcf9352\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ercomtool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4b365269fbcf9352\
      4⤵
      PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ertypages.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d26355d57f8e1b0a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ertypages.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d26355d57f8e1b0a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ertypages.resources_31bf3856ad364e35_6.1.7601.17514_es-es_d26355d57f8e1b0a\
      4⤵
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c06fbf9ac6a4a757\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c06fbf9ac6a4a757\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..figurator.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c06fbf9ac6a4a757\
      4⤵
      PID:108
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1e7241a35d49e972\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1e7241a35d49e972\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1e7241a35d49e972\
      4⤵
      PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ionrecord.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12bda33d235e4447\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ionrecord.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12bda33d235e4447\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ionrecord.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12bda33d235e4447\
      4⤵
      PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3569ec57357011d4\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3569ec57357011d4\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3569ec57357011d4\
      4⤵
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a4b94dce75e4f0d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a4b94dce75e4f0d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..leshooter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0a4b94dce75e4f0d\
      4⤵
      PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4c4f869097f6d0f\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4c4f869097f6d0f\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e4c4f869097f6d0f\
      4⤵
      PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..managerui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4409124876a0c647\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..managerui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4409124876a0c647\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..managerui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4409124876a0c647\
      4⤵
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..mecontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dcd9ab0802196857\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..mecontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dcd9ab0802196857\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..mecontrol.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dcd9ab0802196857\
      4⤵
      PID:680
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12f2096cfbd83f09\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12f2096cfbd83f09\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..oldertool.resources_31bf3856ad364e35_6.1.7600.16385_es-es_12f2096cfbd83f09\
      4⤵
      PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b1e4a75fe840204\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b1e4a75fe840204\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8b1e4a75fe840204\
      4⤵
      System policy modification
      PID:1176
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9939fbe389b36fb3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9939fbe389b36fb3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-logger.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9939fbe389b36fb3\
      4⤵
      PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-wizard.resources_31bf3856ad364e35_6.1.7601.17514_es-es_41a2cd3324feebba\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-wizard.resources_31bf3856ad364e35_6.1.7601.17514_es-es_41a2cd3324feebba\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..on-wizard.resources_31bf3856ad364e35_6.1.7601.17514_es-es_41a2cd3324feebba\
      4⤵
      PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43be31b1243492e3\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43be31b1243492e3\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..orecodecs.resources_31bf3856ad364e35_6.1.7600.16385_es-es_43be31b1243492e3\
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ore-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb0a3e49f4c05a5d\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ore-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb0a3e49f4c05a5d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..ore-other.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb0a3e49f4c05a5d\
      4⤵
      System policy modification
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ee58c543f41a2ee\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ee58c543f41a2ee\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2ee58c543f41a2ee\
      4⤵
      PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f588efeb9be822f1\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f588efeb9be822f1\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f588efeb9be822f1\
      4⤵
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e78fb50114c8677a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e78fb50114c8677a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e78fb50114c8677a\
      4⤵
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f7c9fbadf81b5982\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f7c9fbadf81b5982\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..structure.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f7c9fbadf81b5982\
      4⤵
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7600.16385_es-es_195e338ff15135b7\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7600.16385_es-es_195e338ff15135b7\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7600.16385_es-es_195e338ff15135b7\
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7601.17514_es-es_1b8f4757ee3fb951\System Restore.exe
      "C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7601.17514_es-es_1b8f4757ee3fb951\System Restore.exe" C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..tigations.resources_31bf3856ad364e35_6.1.7601.17514_es-es_1b8f4757ee3fb951\
      4⤵
      System Location Discovery: System Language Discovery
      PID:1280
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70558c4c635516a0\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70558c4c635516a0\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_70558c4c635516a0\
      4⤵
      PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_es-es_627548c18b08f745\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_es-es_627548c18b08f745\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-a..xtensions.resources_31bf3856ad364e35_6.1.7600.16385_es-es_627548c18b08f745\
      4⤵
      PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_28e7c8ea22249e99\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_28e7c8ea22249e99\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_28e7c8ea22249e99\
      4⤵
      System policy modification
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2b18dcb21f132233\data.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2b18dcb21f132233\data.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-acledit.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2b18dcb21f132233\
      4⤵
      PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4173873612663c97\update.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4173873612663c97\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-aclui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4173873612663c97\
      4⤵
      PID:2024
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_182b2b3b124f76ad\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_182b2b3b124f76ad\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-advapi32.resources_31bf3856ad364e35_6.1.7600.16385_es-es_182b2b3b124f76ad\
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_es-es_5183c763e1195ba8\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_es-es_5183c763e1195ba8\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-advpack.resources_31bf3856ad364e35_8.0.7600.16385_es-es_5183c763e1195ba8\
      4⤵
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-alttab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e22bc19b456a9019\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-alttab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e22bc19b456a9019\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-alttab.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e22bc19b456a9019\
      4⤵
      PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-appwiz.resources_31bf3856ad364e35_6.1.7600.16385_es-es_302e68ca7021e39c\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-appwiz.resources_31bf3856ad364e35_6.1.7600.16385_es-es_302e68ca7021e39c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-appwiz.resources_31bf3856ad364e35_6.1.7600.16385_es-es_302e68ca7021e39c\
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-at.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5fb397d36345b822\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-at.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5fb397d36345b822\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-at.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5fb397d36345b822\
      4⤵
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66dabcb28fd114ef\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66dabcb28fd114ef\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-atbroker.resources_31bf3856ad364e35_6.1.7600.16385_es-es_66dabcb28fd114ef\
      4⤵
      PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-atl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9e9c4a6e6486857a\backup.exe
      C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-atl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9e9c4a6e6486857a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\x86_microsoft-windows-atl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9e9c4a6e6486857a\
      4⤵
      PID:1204
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000007\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000007\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000007\
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000008\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000008\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000008\
    3⤵
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000009\update.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000009\update.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000009\
    3⤵
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000a\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000a\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000a\
    3⤵
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000b\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000b\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000b\
    3⤵
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000c\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000c\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000c\
    3⤵
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000d\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000d\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000d\
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000e\backup.exe
    C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000e\backup.exe C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-0000000e\
    3⤵
    PID:1664
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\backup.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\
  2⤵
  PID:584
- C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe
  C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\backup.exe C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\VBE\backup.exe C:\Users\Admin\AppData\Local\Temp\VBE\
  2⤵
  PID:544
- C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe
  C:\Users\Admin\AppData\Local\Temp\WPDNSE\backup.exe C:\Users\Admin\AppData\Local\Temp\WPDNSE\
  2⤵
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\System Restore.exe

Filesize
168KB

MD5
ee8541251db589b366d2ccebda586d30

SHA1
70d1f8f33a3bf2001a5242cea95dc6242b69f149

SHA256
d48db19c3ed6bed516a0fa58c5355f6a58103a7a2089b8f5a764f6973be5e4c0

SHA512
b487fc53beb0a412ac4958017e6a6f8e73dfbb0c975373efddb6ebacd58bfdcd8ec80fcb5e024491b2a6eb6a9d5a81928ded59d30dc6d296b94198407a2ab39e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6bc8c2f4dd77ad5d\backup.exe

Filesize
168KB

MD5
b179371d6f89d9a9450a98c49a777b86

SHA1
c3797efe3f24a183d95d9a10971e44930c36887a

SHA256
d06109a818c1d7074a647e8a4271bfed266f27cb4a3b1a7dbb95f8f660e87764

SHA512
f010dfa88eb88213d96482865efc39a97c1799a44fea284241090c3790cd6c80fe1afb7656702146aaaa77692a5659149f537cc880889e2e4b9df7c2a51dde6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_es-es_eb07b84d53fabc90\backup.exe

Filesize
168KB

MD5
e8de78bafec91f2b6511a0ec7752018c

SHA1
7f7e0e384fdb0202288130bdb1769b1f83de9fec

SHA256
e535ec4d46400751e8db6339f5c3eb203cdfbd1fbe7f04c8a02fd7a3762e6772

SHA512
fd3b71d16eb3dfa7c04afb539706824c251a0feb80a8968e4401ef13d3e044a7dbd70865b4f607aa78bfbc404eda58997dd932ebe4f09d5c0d25cac79a9bd274

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
48KB

MD5
c402e15dd3e4f451f6e9b1bd1de59a33

SHA1
eb7d6522dfa314ffb1c81e2d40b03505f736a468

SHA256
a7c1252e65c612d62b64f645506fe4d77a4e8373ce9538c14091de17c927c34c

SHA512
2bce0da7a7134c47ff45775a36a936a3309eec74107acbe806096e33137e9be66e050fa6b619acf9e7d9d3b9d7e528462c85cef25bb2cc4f4f4b0fce186ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.zip

Filesize
22B

MD5
76cdb2bad9582d23c1f6f4d868218d6c

SHA1
b04f3ee8f5e43fa3b162981b50bb72fe1acabb33

SHA256
8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85

SHA512
5e2f959f36b66df0580a94f384c5fc1ceeec4b2a3925f062d7b68f21758b86581ac2adcfdde73a171a28496e758ef1b23ca4951c05455cdae9357cc3b5a5825f

Download Submit
\PerfLogs\Admin\backup.exe

Filesize
168KB

MD5
62b32d86d0ec444e73e0fdae67fd8d46

SHA1
6f6ad77aa64c683763ba6d4953f425e94a094b69

SHA256
33abd48a10eb4efa78dde04443f532efd4ef438401ce3d4da068e6f971f736f8

SHA512
db0523977aed398a162eae538db0fd3edbe8baada640e459e5a4df80006faa33a4f1da021d04c27e59b68420c13b795b78daeae19a16b0527864dae2741edb05

Download Submit
\PerfLogs\backup.exe

Filesize
168KB

MD5
1a8823df516ee355031a1e8214cb4e16

SHA1
cd09d7ae743b525ee9ac5acd0710e638b1b3f829

SHA256
808e377bee17664831a1463f007262ccdca46328ad4e49245565d033427c1709

SHA512
ace081d8a5288609ba3f36d16d43cac1b07901132fa32d3f2e2fe2beec061fd661ccd763224f59c024492f80f5e0d970ea965069f76cc9e3ce555c469e08124c

Download Submit
\Program Files\7-Zip\Lang\backup.exe

Filesize
168KB

MD5
40322fa085d458f8fed5712acfdde6ea

SHA1
f2efd58eb9dfe3f35f33930008edfbfe469f8b25

SHA256
f9bb46b0f0b426e5b6a1d7791b4cf0b7397ed12635a0c268a091c950dda0f4be

SHA512
810a81d11e0cc1be681b37da0a73e79565a790fef7cfce215baea64e8af10f97345133a6abf8542a9adb5e0f6675106458192ac2416b3e8cd973efde476f73ee

Download Submit
\Program Files\7-Zip\backup.exe

Filesize
168KB

MD5
2568aa59ff1d42ef4223e30b72c265b0

SHA1
fc0c07f38a271f90c7d166bf158f0f48c2f25163

SHA256
15276149a2c4265cb45a6a2c967c558db54e38b0d1da96a327a7785e95e935e8

SHA512
e8f7f8051e993d27da6ed33a523eb713892c23371699c06c229e53b3e962cbe222dfba4ec793b819404746379613ce82f090d99093c036d420a89ab342197553

Download Submit
\Program Files\Common Files\Microsoft Shared\backup.exe

Filesize
168KB

MD5
538aff4967d625745ca2cdddce2e5289

SHA1
ab5e822afcf56bc5973b9d1a8890d5377e107b64

SHA256
064643b31703ea9ee6e6c55f1185ddfd93d94594cbb162fa5ee17f1306bf319f

SHA512
cc552292d04304a4af428ecf2ffa0778bb50022f3f4d6c8bea163c3e0e01bdc27ab08c623805bd57f8f625e581b2c946006e32a0030f98bc653b394328cf7935

Download Submit
\Program Files\Common Files\backup.exe

Filesize
168KB

MD5
a72d6768867ff94db3719e6efba4c78e

SHA1
dc6594da94d8006d1c9b4dc4ecbc09335ff942e3

SHA256
62c77c29d21af77540a90a8ecb52cfdc701cc388e48ed2a3b20135d1c0642f6b

SHA512
c064135e5ad50e13cfb96c5a50de71fee131b885162b2eb69e6de6773ebaa8b6b0facc31e76abfe410758103d70aaddc9e71e3c99269c2911ed0f8f14fdad736

Download Submit
\Program Files\backup.exe

Filesize
168KB

MD5
35b0d5014e5d6e79b9cf9750042c54c8

SHA1
c8ba077192371fb87ace9ed002270ffa3c0444ac

SHA256
c78880ffe8c98a6d80a2be5f77e8e40d9b0aa8d783869416f195220207f1043e

SHA512
6e5b336e7758e97af8ab613767dc1ef85ebafeaefa03efce005a6705d6570c5910ae833df3595fb6c307d64365a08cf5c0e903c94143955642696ad03b34d301

Download Submit
\Users\Admin\AppData\Local\Temp\2020447974\backup.exe

Filesize
168KB

MD5
feab0eab8ce4f12baa9b2a22e50a9623

SHA1
9083048b87c3d9a00531b69a66ad22332817ccf6

SHA256
14051b41e70a6ec70ca6403fce18c8811aa975266e9c35f2f4d1b738eb68b81b

SHA512
63eff9fdb25fb256f0d9d3890c8b306e899cb756c7a2f9e173efdc51fd6f11a0fb9f7cd334ba6937ba9eae0560d27b481a86203b84af79dfe9ed39285bff7863

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\backup.exe

Filesize
168KB

MD5
e6ad2ffe3a84c8713e09db9d187ce945

SHA1
6f1bd96e3005b6620a5ecc0b3f66762814b50747

SHA256
b5ab4d12cde96120752618b97f06fe05eb9d14e8375e93f1430d515eb24e3377

SHA512
a0134da5b9027456e4e2bb2afeba53807191be228edff279388ad6060fea25e57fb35cd8b36b639f541860fd9b003e04f10df90063ba9538da142431ec54c111

Download Submit
\Users\Admin\AppData\Local\Temp\lpksetup\lpk-tmp-00000006\backup.exe

Filesize
168KB

MD5
689261d09146858f02a46c7e2b98cffd

SHA1
c961dfd9741ec2b84e6ef05655dd6386911f75af

SHA256
77a3b3759bedd500427f0d0a6728ce83e5f9cf36c8199a39e2deff041d94c258

SHA512
f7def0e2f6a8a8f103a7f40bfb1dde14fa2a7fb77022a1063c23c6a471bc512b4207b1b3187014dfb6459b6908155038efa74dadc89af19be95bd6bcafb477ae

Download Submit
memory/564-148-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/596-290-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/672-447-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/828-287-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/828-288-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/828-267-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/828-272-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/916-228-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/924-189-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/928-412-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1300-1882-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1332-258-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1632-329-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1664-1510-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1668-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-73-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1668-22-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1668-60-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1668-41-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-11-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1696-434-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1984-241-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/1984-170-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2020-270-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2052-171-0x0000000000350000-0x000000000037A000-memory.dmp

Filesize
168KB

Download
memory/2052-191-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-326-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-1791-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2152-90-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/2152-94-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2160-252-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2184-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2188-245-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2188-268-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2188-219-0x0000000000280000-0x00000000002AA000-memory.dmp

Filesize
168KB

Download
memory/2244-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2276-61-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2276-117-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2276-121-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2276-52-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2288-348-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2304-174-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2320-190-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2352-377-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2380-1870-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2384-428-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2456-310-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2476-618-0x0000000076AC0000-0x0000000076BBA000-memory.dmp

Filesize
1000KB

Download
memory/2476-5809-0x0000000076BC0000-0x0000000076CDF000-memory.dmp

Filesize
1.1MB

Download
memory/2476-617-0x0000000076BC0000-0x0000000076CDF000-memory.dmp

Filesize
1.1MB

Download
memory/2496-345-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2496-439-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2496-361-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2496-339-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2496-308-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2496-455-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2496-454-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/2512-302-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2512-309-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2560-91-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/2560-103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2620-396-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2688-368-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-4376-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2692-4375-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2736-435-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-238-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-223-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-299-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-279-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-334-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-273-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-360-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-362-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-266-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-259-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-374-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-336-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-390-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-246-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-118-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-403-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-236-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-127-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-417-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-317-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-335-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-301-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-224-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-443-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-206-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-207-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-194-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-452-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-182-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-159-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/2736-149-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2752-383-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2768-119-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2792-350-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2796-89-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2796-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2832-418-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2856-1832-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2856-1834-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2972-395-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3016-99-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads